packages/unzip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:675c835d46d1df2bf2aaab781ff2a6eee8744372
Branches Tags
packages:main
...
compare: packages:0a57bc82af2d12fb5be0be9b547888542d2f2e56
Branches Tags
packages:main

10 Commits
675c835d46 ... 0a57bc82af

Author SHA1 Message Date
openeuler-ci-bot
0a57bc82af
!42 add make check in spec 
From: @znzjugod 
Reviewed-by: @ziyangc 
Signed-off-by: @ziyangc
 2023-02-18 03:30:36 +00:00
znzjugod
cdd873b12f
update unzip.spec. 
Signed-off-by: znzjugod <zhangnan134@huawei.com>
 2023-02-16 11:28:59 +00:00
openeuler-ci-bot
5e60885a39
!33 [sync] PR-31: fix CVE-2021-4217 
From: @openeuler-sync-bot 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6
 2022-09-06 07:12:08 +00:00
dongyuzhen
6efda96b62 fix CVE-2021-4217 
(cherry picked from commit b0df769e2aef6dac9215ca4100965b7708c1ce10)
 2022-09-06 14:32:37 +08:00
openeuler-ci-bot
5e6f3e7304
!21 [sync] PR-16: fix CVE-2022-0529 CVE-2022-0530 
From: @openeuler-sync-bot 
Reviewed-by: @xiezhipeng1 
Signed-off-by: @xiezhipeng1
 2022-02-23 07:09:02 +00:00
weiwei_tiantian
49e8b5d2ac fix CVE-2022-0529 CVE-2022-0530 
(cherry picked from commit a7e5109b02395b1d79560fd373b2d2e6a7101e85)
 2022-02-23 11:35:51 +08:00
openeuler-ci-bot
0e1ffd4ef9 !3 delete garbled characters 
Merge pull request !3 from chengquan/developer
 2020-03-21 21:52:20 +08:00
chengquan
51aa31efa1 delete garbled characters 2020-03-21 17:09:38 +08:00
openeuler-ci-bot
8edd8bd0eb !2 fix cve 2019-13232 
Merge pull request !2 from wsp1991/unzip
 2020-03-03 10:05:48 +08:00
wsp1991
b2c29345c8 fix 2019-13232 2020-03-03 09:49:06 +08:00
9 changed files with 265 additions and 40 deletions
Show Stats Expand all files Collapse all files

1
CVE-2019-13232-fur1.patch
View File

@ -109,3 +109,4 @@ index dc9eff5..297b3c7 100644
+ directory record */
} ecdir_rec;

1
CVE-2019-13232-fur2.patch
View File

@ -335,3 +335,4 @@ index e8e9719..6594ee6 100644
-a convert text files. Ordinarily all files are extracted exactly
--
1.8.3.1

2
CVE-2019-13232-pre.patch
View File

@ -1,5 +1,7 @@
From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Mon, 27 May 2019 08:20:32 -0700
Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state.

104
CVE-2022-0529.patch Normal file
View File

@ -0,0 +1,104 @@
From 8b40e8021a98728b5889516af308dd52378c964c Mon Sep 17 00:00:00 2001
From: Lv Ying <lvying6@huawei.com>
Date: Wed, 23 Feb 2022 09:32:21 +0800
Subject: [PATCH 2/2] fix CVE-2022-0529 Heap out-of-bound writes and reads
during conversion of wide string to local string
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2022-0529 discussed in https://bugzilla.redhat.com/show_bug.cgi?id=2051402
CVE can be reproduced:
$ unset LANG
$ valgrind ./unzip ./unzip_03/testcase
valgrind will detect Heap out-of-bound writes and reads just as bugzilla discussed
This is because wide_to_escape_string returns a string that represents a wide char
not in local char set, is longer than MAX_ESCAPE_BYTES(8). Actually, MAX_ESCAPE_BYTES
max is 10, for example, 4-byte wide character '#L02020276' is 10 bytes long, not
including the terminating null character. So strcat(buffer, escape_string) will cause
Heap out-of-bound writes.
By default, the OS vendor sets the LANG environment variable. valgrind tests this POC
will get another memory error.
$ export | grep LANG
declare -x LANG="en_US.UTF-8"
$ valgrind ./unzip ./unzip_03/testcase
Archive: unzip_03/testcase
warning [unzip_03/testcase]: 303 extra bytes at beginning or within zipfile
(attempting to process anyway)
error [unzip_03/testcase]: reported length of central directory is
-303 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
zipfile?). Compensating...
==15725== Conditional jump or move depends on uninitialised value(s)
==15725== at 0x4903169: __wcsnlen_sse4_1 (strlen.S:186)
==15725== by 0x48F3D61: wcsrtombs (wcsrtombs.c:104)
==15725== by 0x488B9A0: wcstombs (wcstombs.c:34)
==15725== by 0x407279: wcstombs (stdlib.h:154)
==15725== by 0x407279: fnfilter.constprop.2 (extract.c:2946)
==15725== by 0x4076A5: store_info (extract.c:1155)
==15725== by 0x40AFF4: extract_or_test_files (extract.c:782)
==15725== by 0x41586C: do_seekable (process.c:994)
==15725== by 0x4167EE: process_zipfiles (process.c:401)
==15725== by 0x40449B: unzip (unzip.c:1280)
==15725== by 0x4874B26: (below main) (libc-start.c:308)
==15725==
skipping: ??????????????????????????????????????????????????????????????????????????ı need PK compat. v4.6 (can do v4.5)
==15725==
==15725== HEAP SUMMARY:
==15725== in use at exit: 0 bytes in 0 blocks
==15725== total heap usage: 37 allocs, 37 frees, 90,739 bytes allocated
==15725==
==15725== All heap blocks were freed -- no leaks are possible
==15725==
==15725== For counts of detected and suppressed errors, rerun with: -v
==15725== Use --track-origins=yes to see where uninitialised values come from
==15725== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
This is because wcstombs( newraw, wostring, (woslen * MB_CUR_MAX) + 1) in fnfilter
use wrong n parameter which stands for At most n bytes are written to dest.
When LANG environment variable is set, MB_CUR_MAX = 6, so wcstombs will writes more
bytes over dest(newraw).
Signed-off-by: Lv Ying <lvying6@huawei.com>
---
extract.c | 4 ++--
process.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/extract.c b/extract.c
index f0e8217..3f6e14d 100644
--- a/extract.c
+++ b/extract.c
@@ -2856,12 +2856,12 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */
if (wslen != (size_t)-1)
{
/* Apparently valid Unicode. Allocate wide-char storage. */
- wstring = (wchar_t *)malloc((wslen + 1) * sizeof(wchar_t));
+ wstring = (wchar_t *)calloc((wslen + 1), sizeof(wchar_t));
if (wstring == NULL) {
strcpy( (char *)space, raw);
return (char *)space;
}
- wostring = (wchar_t *)malloc(2 * (wslen + 1) * sizeof(wchar_t));
+ wostring = (wchar_t *)calloc(2 * (wslen + 1), sizeof(wchar_t));
if (wostring == NULL) {
free(wstring);
strcpy( (char *)space, raw);
diff --git a/process.c b/process.c
index 5cba073..3e7fcb3 100644
--- a/process.c
+++ b/process.c
@@ -2395,7 +2395,7 @@ char *local_to_utf8_string(local_string)
*/
/* set this to the max bytes an escape can be */
-#define MAX_ESCAPE_BYTES 8
+#define MAX_ESCAPE_BYTES 10
char *wide_to_escape_string(wide_char)
zwchar wide_char;
--
2.27.0

61
CVE-2022-0530.patch Normal file
View File

@ -0,0 +1,61 @@
From 4d9e8cd35d59f05f75cb2d8f05c6e4c9277dcf9c Mon Sep 17 00:00:00 2001
From: Zhipeng Xie <xiezhipeng1@huawei.com>
Date: Tue, 22 Feb 2022 21:04:25 +0000
Subject: [PATCH 1/2] Fix CVE-2022-0530
Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
---
fileio.c | 20 +++++++++++++-------
process.c | 2 ++
2 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/fileio.c b/fileio.c
index cf995a9..e237272 100644
--- a/fileio.c
+++ b/fileio.c
@@ -2360,16 +2360,22 @@ int do_string(__G__ length, option) /* return PK-type error code */
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
- /* make sure filename is short enough */
- if (strlen(fn) >= FILNAMSIZ) {
- fn[FILNAMSIZ - 1] = '\0';
+ if (!fn) {
Info(slide, 0x401, ((char *)slide,
- LoadFarString(UFilenameTooLongTrunc)));
+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
error = PK_WARN;
+ } else {
+ /* make sure filename is short enough */
+ if (strlen(fn) >= FILNAMSIZ) {
+ fn[FILNAMSIZ - 1] = '\0';
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(UFilenameTooLongTrunc)));
+ error = PK_WARN;
+ }
+ /* replace filename with converted UTF-8 */
+ strcpy(G.filename, fn);
+ free(fn);
}
- /* replace filename with converted UTF-8 */
- strcpy(G.filename, fn);
- free(fn);
}
# endif /* UNICODE_WCHAR */
if (G.unipath_filename != G.filename_full)
diff --git a/process.c b/process.c
index 46abce2..5cba073 100644
--- a/process.c
+++ b/process.c
@@ -2597,6 +2597,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
int escape_all;
{
zwchar *wide = utf8_to_wide_string(utf8_string);
+ if (!wide)
+ return NULL;
char *loc = wide_to_local_string(wide, escape_all);
free(wide);
return loc;
--
2.27.0

39
backport-CVE-2021-4217.patch Normal file
View File

@ -0,0 +1,39 @@
From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
From: Nils Bars <nils.bars@t-online.de>
Date: Mon, 17 Jan 2022 16:53:16 +0000
Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
to read as many bytes as indicated by the extra field length attribute.
Furthermore, this fixes a null pointer dereference if an archive contains an
`EF_UNIPATH` extra field but does not have a filename set.
Reference:https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
Conflict: fileio.c file not change.
---
process.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/process.c b/process.c
index abe938b..f573ee4 100644
--- a/process.c
+++ b/process.c
@@ -2060,10 +2060,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
G.unipath_checksum = makelong(offset + ef_buf);
offset += 4;
+ if (!G.filename_full) {
+ /* Check if we have a unicode extra section but no filename set */
+ return PK_ERR;
+ }
+
/*
* Compute 32-bit crc
*/
-
chksum = crc32(chksum, (uch *)(G.filename_full),
strlen(G.filename_full));
--
2.33.0

2
unzip-6.0-alt-iconv-utf8.patch
View File

@ -174,7 +174,7 @@ Index: unzip-6.0/unzip.c
+#else /* UNIX */
+static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
+ -h print header line -t print totals for listed files or for all\n\
+ -z print zipfile comment %c-T%c print file times in sortable decimal format\
+ -z print zipfile comment -T print file times in sortable decimal format\
+\n %c-C%c be case-insensitive %s\
+ -x exclude filenames that follow from listing\n\
+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\

21
unzip.spec
View File

@ -1,6 +1,6 @@
Name: unzip
Version: 6.0
Release: 44
Release: 48
Summary: A utility for unpacking zip files
License: BSD
URL: http://www.info-zip.org/UnZip.html
@ -34,8 +34,10 @@ Patch6000: CVE-2018-18384.patch
Patch6001: CVE-2019-13232-pre.patch
Patch6002: CVE-2019-13232.patch
Patch6003: CVE-2019-13232-fur1.patch
Patch6004: backport-CVE-2021-4217.patch
Patch9000: CVE-2019-13232-fur2.patch
Patch9001: CVE-2022-0530.patch
Patch9002: CVE-2022-0529.patch
BuildRequires: bzip2-devel
@ -61,6 +63,9 @@ Package help includes man pages for unzip.
%install
%make_install -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT%{_mandir}/man1 INSTALL="cp -p"
%check
make check -f unix/Makefile
%files
%license LICENSE COPYING.OLD
%doc README BUGS
@ -70,6 +75,18 @@ Package help includes man pages for unzip.
%{_mandir}/man1/*
%changelog
* Thu Feb 16 2023 zhangnan <zhangnan134@huawei.com> - 6.0-48
- add make check in spec
* Tue Sep 6 2022 dongyuzhen <dongyuzhen@h-partners.com> - 6.0-47
- fix CVE-2021-4217
* Wed Feb 23 2022 tianwei <tianwei@h-partners.com> - 6.0-46
- fix CVE-2022-0529 CVE-2022-0530
* Mon Mar 2 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.0-45
- delete garbled characters
* Mon Mar 2 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.0-44
- fix CVE-2019-13232