From d7c16d7fbba4127ad262afdbf85bb3af9c9eb0f93dac3851fcb8770a8cac9835 Mon Sep 17 00:00:00 2001
From: Danilo Spinella <danilo.spinella@suse.com>
Date: Wed, 21 Sep 2022 12:52:47 +0000
Subject: [PATCH] Accepting request 1005199 from
 home:dspinella:branches:Archiving

- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
  to a local string (CVE-2022-0530, bsc#1196177)
  * CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
  * CVE-2022-0529.patch

OBS-URL: https://build.opensuse.org/request/show/1005199
OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=58
---
 CVE-2022-0529.patch | 37 +++++++++++++++++++++++++++++++++++++
 CVE-2022-0530.patch | 28 ++++++++++++++++++++++++++++
 unzip-rcc.spec      |  2 +-
 unzip.changes       | 10 ++++++++++
 unzip.spec          |  8 +++++++-
 5 files changed, 83 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2022-0529.patch
 create mode 100644 CVE-2022-0530.patch

diff --git a/CVE-2022-0529.patch b/CVE-2022-0529.patch
new file mode 100644
index 0000000..13d107f
--- /dev/null
+++ b/CVE-2022-0529.patch
@@ -0,0 +1,37 @@
+From: Enrico Zini <enrico@debian.org>
+Subject: Fix wide string conversion
+Bug-Debian: https://bugs.debian.org/1010355
+X-Debian-version: 6.0-27
+
+--- a/process.c
++++ b/process.c
+@@ -2507,13 +2507,15 @@
+   char buf[9];
+   char *buffer = NULL;
+   char *local_string = NULL;
++  size_t buffer_size;
+ 
+   for (wsize = 0; wide_string[wsize]; wsize++) ;
+ 
+   if (max_bytes < MAX_ESCAPE_BYTES)
+     max_bytes = MAX_ESCAPE_BYTES;
+ 
+-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
++  buffer_size = wsize * max_bytes + 1;
++  if ((buffer = (char *)malloc(buffer_size)) == NULL) {
+     return NULL;
+   }
+ 
+@@ -2552,7 +2554,11 @@
+       /* no MB for this wide */
+         /* use escape for wide character */
+         char *escape_string = wide_to_escape_string(wide_string[i]);
+-        strcat(buffer, escape_string);
++        size_t buffer_len = strlen(buffer);
++        size_t escape_string_len = strlen(escape_string);
++        if (buffer_len + escape_string_len + 1 > buffer_size)
++          escape_string_len = buffer_size - buffer_len - 1;
++        strncat(buffer, escape_string, escape_string_len);
+         free(escape_string);
+     }
+   }
diff --git a/CVE-2022-0530.patch b/CVE-2022-0530.patch
new file mode 100644
index 0000000..0167fb7
--- /dev/null
+++ b/CVE-2022-0530.patch
@@ -0,0 +1,28 @@
+From: Enrico Zini <enrico@debian.org>
+Subject: Fix null pointer dereference on invalid UTF-8 input
+Bug-Debian: https://bugs.debian.org/1010355
+X-Debian-version: 6.0-27
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -2361,6 +2361,9 @@
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
++                  if (fn == NULL)
++                    return PK_ERR;
++
+                   /* make sure filename is short enough */
+                   if (strlen(fn) >= FILNAMSIZ) {
+                     fn[FILNAMSIZ - 1] = '\0';
+--- a/process.c
++++ b/process.c
+@@ -2611,6 +2611,8 @@
+   int escape_all;
+ {
+   zwchar *wide = utf8_to_wide_string(utf8_string);
++  if (wide == NULL)
++    return NULL;
+   char *loc = wide_to_local_string(wide, escape_all);
+   free(wide);
+   return loc;
diff --git a/unzip-rcc.spec b/unzip-rcc.spec
index 15b0241..985d4b2 100644
--- a/unzip-rcc.spec
+++ b/unzip-rcc.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package unzip-rcc
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
diff --git a/unzip.changes b/unzip.changes
index de85f6a..9170b7b 100644
--- a/unzip.changes
+++ b/unzip.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Sep 21 09:27:59 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
+  to a local string (CVE-2022-0530, bsc#1196177)
+  * CVE-2022-0530.patch
+- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
+  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
+  * CVE-2022-0529.patch
+
 -------------------------------------------------------------------
 Thu Sep  9 11:30:06 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 
diff --git a/unzip.spec b/unzip.spec
index 52c95d1..2df414e 100644
--- a/unzip.spec
+++ b/unzip.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package unzip
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -61,6 +61,10 @@ Patch20:        Fix-CVE-2014-9636-unzip-buffer-overflow.patch
 Patch21:        unzip60-total_disks_zero.patch
 Patch22:        unzip60-cfactorstr_overflow.patch
 Patch23:        unzip-initialize-the-symlink-flag.patch
+# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0530 bsc#1196177
+Patch24:        CVE-2022-0530.patch
+# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0529 bsc#1196180
+Patch25:        CVE-2022-0529.patch
 Requires(post): update-alternatives
 Requires(postun):update-alternatives
 Recommends:     %{_name}-doc
@@ -109,6 +113,8 @@ functionality. This version can also extract encrypted archives.
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1
+%patch25 -p1
 
 %build
 export RPM_OPT_FLAGS="%{optflags} \