From 5e009a88746bf3c20b29626a8671055c47a42bd0 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 8 Aug 2022 19:13:07 +0300 Subject: [PATCH] gnu: unzip: Patch for CVE-2022-0529 and CVE-2022-0530. * gnu/packages/compression.scm (unzip)[replacement]: New field. (unzip/fixed): New variable. * gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/compression.scm | 10 + .../unzip-CVE-2022-0529+CVE-2022-0530.patch | 177 ++++++++++++++++++ 3 files changed, 188 insertions(+) create mode 100644 gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch diff --git a/gnu/local.mk b/gnu/local.mk index a837d16e34..ac40640658 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1900,6 +1900,7 @@ dist_patch_DATA = \ %D%/packages/patches/unzip-CVE-2014-9636.patch \ %D%/packages/patches/unzip-CVE-2015-7696.patch \ %D%/packages/patches/unzip-CVE-2015-7697.patch \ + %D%/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch \ %D%/packages/patches/unzip-allow-greater-hostver-values.patch \ %D%/packages/patches/unzip-attribs-overflow.patch \ %D%/packages/patches/unzip-overflow-on-invalid-input.patch \ diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index e5bc3813c5..6854bcafe4 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -1768,6 +1768,7 @@ Compression ratios of 2:1 to 3:1 are common for text files.") (package (inherit zip) (name "unzip") (version "6.0") + (replacement unzip/fixed) (source (origin (method url-fetch) @@ -1850,6 +1851,15 @@ recreates the stored directory structure by default.") (license (license:non-copyleft "file://LICENSE" "See LICENSE in the distribution.")))) +(define unzip/fixed + (package (inherit unzip) + (source + (origin + (inherit (package-source unzip)) + (patches (append + (origin-patches (package-source unzip)) + (search-patches "unzip-CVE-2022-0529+CVE-2022-0530.patch"))))))) + (define-public ziptime (let ((commit "2a5bc9dfbf7c6a80e5f7cb4dd05b4036741478bc") (revision "0")) diff --git a/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch b/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch new file mode 100644 index 0000000000..e3fe2314ac --- /dev/null +++ b/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch @@ -0,0 +1,177 @@ +https://nvd.nist.gov/vuln/detail/CVE-2022-0529 +https://nvd.nist.gov/vuln/detail/CVE-2022-0530 +https://sources.debian.org/src/unzip/6.0-27/debian/patches/28-cve-2022-0529-and-cve-2022-0530.patch/ + +From: Steven M. Schweda +Subject: Fix for CVE-2022-0529 and CVE-2022-0530 +Bug-Debian: https://bugs.debian.org/1010355 +X-Debian-version: 6.0-27 + +--- a/fileio.c ++++ b/fileio.c +@@ -171,8 +171,10 @@ + static ZCONST char Far FilenameTooLongTrunc[] = + "warning: filename too long--truncating.\n"; + #ifdef UNICODE_SUPPORT ++ static ZCONST char Far UFilenameCorrupt[] = ++ "error: Unicode filename corrupt.\n"; + static ZCONST char Far UFilenameTooLongTrunc[] = +- "warning: Converted unicode filename too long--truncating.\n"; ++ "warning: Converted Unicode filename too long--truncating.\n"; + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; +@@ -2361,16 +2363,30 @@ + /* convert UTF-8 to local character set */ + fn = utf8_to_local_string(G.unipath_filename, + G.unicode_escape_all); +- /* make sure filename is short enough */ +- if (strlen(fn) >= FILNAMSIZ) { +- fn[FILNAMSIZ - 1] = '\0'; ++ ++ /* 2022-07-22 SMS, et al. CVE-2022-0530 ++ * Detect conversion failure, emit message. ++ * Continue with unconverted name. ++ */ ++ if (fn == NULL) ++ { + Info(slide, 0x401, ((char *)slide, +- LoadFarString(UFilenameTooLongTrunc))); +- error = PK_WARN; ++ LoadFarString(UFilenameCorrupt))); ++ error = PK_ERR; ++ } ++ else ++ { ++ /* make sure filename is short enough */ ++ if (strlen(fn) >= FILNAMSIZ) { ++ fn[FILNAMSIZ - 1] = '\0'; ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(UFilenameTooLongTrunc))); ++ error = PK_WARN; ++ } ++ /* replace filename with converted UTF-8 */ ++ strcpy(G.filename, fn); ++ free(fn); + } +- /* replace filename with converted UTF-8 */ +- strcpy(G.filename, fn); +- free(fn); + } + # endif /* UNICODE_WCHAR */ + if (G.unipath_filename != G.filename_full) +--- a/process.c ++++ b/process.c +@@ -222,6 +222,8 @@ + "\nwarning: Unicode Path version > 1\n"; + static ZCONST char Far UnicodeMismatchError[] = + "\nwarning: Unicode Path checksum invalid\n"; ++ static ZCONST char Far UFilenameTooLongTrunc[] = ++ "warning: filename too long (P1) -- truncating.\n"; + #endif + + +@@ -1915,7 +1917,7 @@ + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. + +- 2014-12-05 SMS. ++ 2014-12-05 SMS. (oCERT.org report.) CVE-2014-8141. + Added checks to ensure that enough data are available before calling + makeint64() or makelong(). Replaced various sizeof() values with + simple ("4" or "8") constants. (The Zip64 structures do not depend +@@ -1947,9 +1949,10 @@ + ef_len - EB_HEADSIZE)); + break; + } ++ + if (eb_id == EF_PKSZ64) + { +- int offset = EB_HEADSIZE; ++ unsigned offset = EB_HEADSIZE; + + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) + { +@@ -2046,7 +2049,7 @@ + } + if (eb_id == EF_UNIPATH) { + +- int offset = EB_HEADSIZE; ++ unsigned offset = EB_HEADSIZE; + ush ULen = eb_len - 5; + ulg chksum = CRCVAL_INITIAL; + +@@ -2504,16 +2507,17 @@ + int state_dependent; + int wsize = 0; + int max_bytes = MB_CUR_MAX; +- char buf[9]; ++ char buf[ MB_CUR_MAX+ 1]; /* ("+1" not really needed?) */ + char *buffer = NULL; + char *local_string = NULL; ++ size_t buffer_size; /* CVE-2022-0529 */ + + for (wsize = 0; wide_string[wsize]; wsize++) ; + + if (max_bytes < MAX_ESCAPE_BYTES) + max_bytes = MAX_ESCAPE_BYTES; +- +- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { ++ buffer_size = wsize * max_bytes + 1; /* Reused below. */ ++ if ((buffer = (char *)malloc( buffer_size)) == NULL) { + return NULL; + } + +@@ -2551,8 +2555,28 @@ + } else { + /* no MB for this wide */ + /* use escape for wide character */ +- char *escape_string = wide_to_escape_string(wide_string[i]); +- strcat(buffer, escape_string); ++ size_t buffer_len; ++ size_t escape_string_len; ++ char *escape_string; ++ int err_msg = 0; ++ ++ escape_string = wide_to_escape_string(wide_string[i]); ++ buffer_len = strlen( buffer); ++ escape_string_len = strlen( escape_string); ++ ++ /* Append escape string, as space allows. */ ++ /* 2022-07-18 SMS, et al. CVE-2022-0529 */ ++ if (escape_string_len > buffer_size- buffer_len- 1) ++ { ++ escape_string_len = buffer_size- buffer_len- 1; ++ if (err_msg == 0) ++ { ++ err_msg = 1; ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( UFilenameTooLongTrunc))); ++ } ++ } ++ strncat( buffer, escape_string, escape_string_len); + free(escape_string); + } + } +@@ -2604,9 +2628,18 @@ + ZCONST char *utf8_string; + int escape_all; + { +- zwchar *wide = utf8_to_wide_string(utf8_string); +- char *loc = wide_to_local_string(wide, escape_all); +- free(wide); ++ zwchar *wide; ++ char *loc = NULL; ++ ++ wide = utf8_to_wide_string( utf8_string); ++ ++ /* 2022-07-25 SMS, et al. CVE-2022-0530 */ ++ if (wide != NULL) ++ { ++ loc = wide_to_local_string( wide, escape_all); ++ free( wide); ++ } ++ + return loc; + } +