fix CVE-2022-0529 CVE-2022-0530

(cherry picked from commit 7969d7aebd2f776e9fd363539e19faa57def8d24)
2022-02-23 11:14:07 +08:00 · 2022-02-23 11:14:07 +08:00 · 49e1391070
commit 49e1391070
parent 6fa96a8b6e
3 changed files with 171 additions and 1 deletions
--- a/CVE-2022-0529.patch
+++ b/CVE-2022-0529.patch
@ -0,0 +1,104 @@
+From 8b40e8021a98728b5889516af308dd52378c964c Mon Sep 17 00:00:00 2001
+From: Lv Ying <lvying6@huawei.com>
+Date: Wed, 23 Feb 2022 09:32:21 +0800
+Subject: [PATCH 2/2] fix CVE-2022-0529 Heap out-of-bound writes and reads
+ during conversion of wide string to local string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2022-0529 discussed in https://bugzilla.redhat.com/show_bug.cgi?id=2051402
+CVE can be reproduced:
+$ unset LANG
+$ valgrind ./unzip ./unzip_03/testcase
+valgrind will detect Heap out-of-bound writes and reads just as bugzilla discussed
+
+This is because wide_to_escape_string returns a string that represents a wide char
+not in local char set, is longer than MAX_ESCAPE_BYTES(8). Actually, MAX_ESCAPE_BYTES
+max is 10, for example, 4-byte wide character '#L02020276' is 10 bytes long, not
+including the terminating null character. So strcat(buffer, escape_string) will cause
+Heap out-of-bound writes.
+
+By default, the OS vendor sets the LANG environment variable. valgrind tests this POC
+will get another memory error.
+$ export | grep LANG
+declare -x LANG="en_US.UTF-8"
+$ valgrind ./unzip ./unzip_03/testcase
+
+Archive:  unzip_03/testcase
+warning [unzip_03/testcase]:  303 extra bytes at beginning or within zipfile
+  (attempting to process anyway)
+error [unzip_03/testcase]:  reported length of central directory is
+  -303 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
+  zipfile?).  Compensating...
+==15725== Conditional jump or move depends on uninitialised value(s)
+==15725==    at 0x4903169: __wcsnlen_sse4_1 (strlen.S:186)
+==15725==    by 0x48F3D61: wcsrtombs (wcsrtombs.c:104)
+==15725==    by 0x488B9A0: wcstombs (wcstombs.c:34)
+==15725==    by 0x407279: wcstombs (stdlib.h:154)
+==15725==    by 0x407279: fnfilter.constprop.2 (extract.c:2946)
+==15725==    by 0x4076A5: store_info (extract.c:1155)
+==15725==    by 0x40AFF4: extract_or_test_files (extract.c:782)
+==15725==    by 0x41586C: do_seekable (process.c:994)
+==15725==    by 0x4167EE: process_zipfiles (process.c:401)
+==15725==    by 0x40449B: unzip (unzip.c:1280)
+==15725==    by 0x4874B26: (below main) (libc-start.c:308)
+==15725==
+   skipping: ??????????????????????????????????????????????????????????????????????????ı  need PK compat. v4.6 (can do v4.5)
+==15725==
+==15725== HEAP SUMMARY:
+==15725==     in use at exit: 0 bytes in 0 blocks
+==15725==   total heap usage: 37 allocs, 37 frees, 90,739 bytes allocated
+==15725==
+==15725== All heap blocks were freed -- no leaks are possible
+==15725==
+==15725== For counts of detected and suppressed errors, rerun with: -v
+==15725== Use --track-origins=yes to see where uninitialised values come from
+==15725== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
+
+This is because wcstombs( newraw, wostring, (woslen * MB_CUR_MAX) + 1) in fnfilter
+use wrong n parameter which stands for At most n bytes are written to dest.
+When LANG environment variable is set, MB_CUR_MAX = 6, so wcstombs will writes more
+bytes over dest(newraw).
+
+Signed-off-by: Lv Ying <lvying6@huawei.com>
+---
+ extract.c | 4 ++--
+ process.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index f0e8217..3f6e14d 100644
+--- a/extract.c
+++ b/extract.c
+@@ -2856,12 +2856,12 @@ char *fnfilter(raw, space, size)   /* convert name to safely printable form */
+     if (wslen != (size_t)-1)
+     {
+         /* Apparently valid Unicode.  Allocate wide-char storage. */
+-        wstring = (wchar_t *)malloc((wslen + 1) * sizeof(wchar_t));
+        wstring = (wchar_t *)calloc((wslen + 1), sizeof(wchar_t));
+         if (wstring == NULL) {
+             strcpy( (char *)space, raw);
+             return (char *)space;
+         }
+-        wostring = (wchar_t *)malloc(2 * (wslen + 1) * sizeof(wchar_t));
+        wostring = (wchar_t *)calloc(2 * (wslen + 1), sizeof(wchar_t));
+         if (wostring == NULL) {
+             free(wstring);
+             strcpy( (char *)space, raw);
+diff --git a/process.c b/process.c
+index 5cba073..3e7fcb3 100644
+--- a/process.c
+++ b/process.c
+@@ -2395,7 +2395,7 @@ char *local_to_utf8_string(local_string)
+   */
+ 
+  /* set this to the max bytes an escape can be */
+-#define MAX_ESCAPE_BYTES 8
+#define MAX_ESCAPE_BYTES 10
+ 
+ char *wide_to_escape_string(wide_char)
+   zwchar wide_char;
+-- 
+2.27.0
+
--- a/CVE-2022-0530.patch
+++ b/CVE-2022-0530.patch
@ -0,0 +1,61 @@
+From 4d9e8cd35d59f05f75cb2d8f05c6e4c9277dcf9c Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 22 Feb 2022 21:04:25 +0000
+Subject: [PATCH 1/2] Fix CVE-2022-0530
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ fileio.c  | 20 +++++++++++++-------
+ process.c |  2 ++
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index cf995a9..e237272 100644
+--- a/fileio.c
+++ b/fileio.c
+@@ -2360,16 +2360,22 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
+-                  /* make sure filename is short enough */
+-                  if (strlen(fn) >= FILNAMSIZ) {
+-                    fn[FILNAMSIZ - 1] = '\0';
+                  if (!fn) {
+                     Info(slide, 0x401, ((char *)slide,
+-                      LoadFarString(UFilenameTooLongTrunc)));
+                      LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
+                     error = PK_WARN;
+                  } else {
+                    /* make sure filename is short enough */
+                    if (strlen(fn) >= FILNAMSIZ) {
+                      fn[FILNAMSIZ - 1] = '\0';
+                      Info(slide, 0x401, ((char *)slide,
+                        LoadFarString(UFilenameTooLongTrunc)));
+                      error = PK_WARN;
+                    }
+                    /* replace filename with converted UTF-8 */
+                    strcpy(G.filename, fn);
+                    free(fn);
+                   }
+-                  /* replace filename with converted UTF-8 */
+-                  strcpy(G.filename, fn);
+-                  free(fn);
+                 }
+ # endif /* UNICODE_WCHAR */
+                 if (G.unipath_filename != G.filename_full)
+diff --git a/process.c b/process.c
+index 46abce2..5cba073 100644
+--- a/process.c
+++ b/process.c
+@@ -2597,6 +2597,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
+   int escape_all;
+ {
+   zwchar *wide = utf8_to_wide_string(utf8_string);
+  if (!wide)
+    return NULL;
+   char *loc = wide_to_local_string(wide, escape_all);
+   free(wide);
+   return loc;
+-- 
+2.27.0
+
--- a/unzip.spec
+++ b/unzip.spec
@ -1,6 +1,6 @@
 Name:           unzip
 Version:        6.0
-Release:        47
+Release:        48
 Summary:        A utility for unpacking zip files
 License:        Info-ZIP,Public Domain
 URL:            http://www.info-zip.org/UnZip.html
@ -35,6 +35,8 @@ Patch6001:      CVE-2019-13232-pre.patch
 Patch6002:      CVE-2019-13232.patch
 Patch6003:      CVE-2019-13232-fur1.patch
 Patch9000:      CVE-2019-13232-fur2.patch
+Patch9001:      CVE-2022-0530.patch
+Patch9002:      CVE-2022-0529.patch

 BuildRequires:  bzip2-devel gcc

@ -69,6 +71,9 @@ Package help includes man pages for unzip.
 %{_mandir}/man1/*

 %changelog
+* Wed Feb 23 2022 tianwei <tianwei@h-partners.com> - 6.0-48
+- fix CVE-2022-0529 CVE-2022-0530
+
 * Thu Jun 10 2021 shixuantong <shixuantong@huawei.com> - 6.0-47
 - add gcc to BuildRequires and revert unzip-6.0-crc-builtin.patch