rpm/unzip
SHA256
1
0
Fork 0
forked from pool/unzip
Code Pull Requests Activity

Accepting request 1005199 from home:dspinella:branches:Archiving

Browse Source 
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
  to a local string (CVE-2022-0530, bsc#1196177)
  * CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
  conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
  * CVE-2022-0529.patch

OBS-URL: https://build.opensuse.org/request/show/1005199
OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=58
This commit is contained in:
Danilo Spinella 2022-09-21 12:52:47 +00:00 committed by Git OBS Bridge
parent dd23dcea8b
commit d7c16d7fbb
5 changed files with 83 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
CVE-2022-0529.patch Normal file
View File

@ -0,0 +1,37 @@
From: Enrico Zini <enrico@debian.org>
Subject: Fix wide string conversion
Bug-Debian: https://bugs.debian.org/1010355
X-Debian-version: 6.0-27
--- a/process.c
+++ b/process.c
@@ -2507,13 +2507,15 @@
char buf[9];
char *buffer = NULL;
char *local_string = NULL;
+ size_t buffer_size;
for (wsize = 0; wide_string[wsize]; wsize++) ;
if (max_bytes < MAX_ESCAPE_BYTES)
max_bytes = MAX_ESCAPE_BYTES;
- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+ buffer_size = wsize * max_bytes + 1;
+ if ((buffer = (char *)malloc(buffer_size)) == NULL) {
return NULL;
}
@@ -2552,7 +2554,11 @@
/* no MB for this wide */
/* use escape for wide character */
char *escape_string = wide_to_escape_string(wide_string[i]);
- strcat(buffer, escape_string);
+ size_t buffer_len = strlen(buffer);
+ size_t escape_string_len = strlen(escape_string);
+ if (buffer_len + escape_string_len + 1 > buffer_size)
+ escape_string_len = buffer_size - buffer_len - 1;
+ strncat(buffer, escape_string, escape_string_len);
free(escape_string);
}
}

28
CVE-2022-0530.patch Normal file
View File

@ -0,0 +1,28 @@
From: Enrico Zini <enrico@debian.org>
Subject: Fix null pointer dereference on invalid UTF-8 input
Bug-Debian: https://bugs.debian.org/1010355
X-Debian-version: 6.0-27
--- a/fileio.c
+++ b/fileio.c
@@ -2361,6 +2361,9 @@
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
+ if (fn == NULL)
+ return PK_ERR;
+
/* make sure filename is short enough */
if (strlen(fn) >= FILNAMSIZ) {
fn[FILNAMSIZ - 1] = '\0';
--- a/process.c
+++ b/process.c
@@ -2611,6 +2611,8 @@
int escape_all;
{
zwchar *wide = utf8_to_wide_string(utf8_string);
+ if (wide == NULL)
+ return NULL;
char *loc = wide_to_local_string(wide, escape_all);
free(wide);
return loc;

2
unzip-rcc.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package unzip-rcc # spec file for package unzip-rcc
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2022 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed

10
unzip.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Wed Sep 21 09:27:59 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
to a local string (CVE-2022-0530, bsc#1196177)
* CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
* CVE-2022-0529.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 9 11:30:06 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com> Thu Sep 9 11:30:06 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>

8
unzip.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package unzip # spec file for package unzip
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2022 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -61,6 +61,10 @@ Patch20: Fix-CVE-2014-9636-unzip-buffer-overflow.patch
Patch21: unzip60-total_disks_zero.patch Patch21: unzip60-total_disks_zero.patch
Patch22: unzip60-cfactorstr_overflow.patch Patch22: unzip60-cfactorstr_overflow.patch
Patch23: unzip-initialize-the-symlink-flag.patch Patch23: unzip-initialize-the-symlink-flag.patch
# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0530 bsc#1196177
Patch24: CVE-2022-0530.patch
# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0529 bsc#1196180
Patch25: CVE-2022-0529.patch
Requires(post): update-alternatives Requires(post): update-alternatives
Requires(postun):update-alternatives Requires(postun):update-alternatives
Recommends: %{_name}-doc Recommends: %{_name}-doc
@ -109,6 +113,8 @@ functionality. This version can also extract encrypted archives.
%patch21 -p1 %patch21 -p1
%patch22 -p1 %patch22 -p1
%patch23 -p1 %patch23 -p1
%patch24 -p1
%patch25 -p1
%build %build
export RPM_OPT_FLAGS="%{optflags} \ export RPM_OPT_FLAGS="%{optflags} \