https://nvd.nist.gov/vuln/detail/CVE-2022-0529
https://nvd.nist.gov/vuln/detail/CVE-2022-0530
https://sources.debian.org/src/unzip/6.0-27/debian/patches/28-cve-2022-0529-and-cve-2022-0530.patch/
From: Steven M. Schweda <sms@antinode.info>
Subject: Fix for CVE-2022-0529 and CVE-2022-0530
Bug-Debian: https://bugs.debian.org/1010355
X-Debian-version: 6.0-27
--- a/fileio.c
+++ b/fileio.c
@@ -171,8 +171,10 @@
static ZCONST char Far FilenameTooLongTrunc[] =
"warning: filename too long--truncating.\n";
#ifdef UNICODE_SUPPORT
+ static ZCONST char Far UFilenameCorrupt[] =
+ "error: Unicode filename corrupt.\n";
static ZCONST char Far UFilenameTooLongTrunc[] =
- "warning: Converted unicode filename too long--truncating.\n";
+ "warning: Converted Unicode filename too long--truncating.\n";
#endif
static ZCONST char Far ExtraFieldTooLong[] =
"warning: extra field too long (%d). Ignoring...\n";
@@ -2361,16 +2363,30 @@
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
- /* make sure filename is short enough */
- if (strlen(fn) >= FILNAMSIZ) {
- fn[FILNAMSIZ - 1] = '\0';
+
+ /* 2022-07-22 SMS, et al. CVE-2022-0530
+ * Detect conversion failure, emit message.
+ * Continue with unconverted name.
+ */
+ if (fn == NULL)
+ {
Info(slide, 0x401, ((char *)slide,
- LoadFarString(UFilenameTooLongTrunc)));
- error = PK_WARN;
+ LoadFarString(UFilenameCorrupt)));
+ error = PK_ERR;
+ }
+ else
+ {
+ /* make sure filename is short enough */
+ if (strlen(fn) >= FILNAMSIZ) {
+ fn[FILNAMSIZ - 1] = '\0';
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(UFilenameTooLongTrunc)));
+ error = PK_WARN;
+ }
+ /* replace filename with converted UTF-8 */
+ strcpy(G.filename, fn);
+ free(fn);
}
- /* replace filename with converted UTF-8 */
- strcpy(G.filename, fn);
- free(fn);
}
# endif /* UNICODE_WCHAR */
if (G.unipath_filename != G.filename_full)
--- a/process.c
+++ b/process.c
@@ -222,6 +222,8 @@
"\nwarning: Unicode Path version > 1\n";
static ZCONST char Far UnicodeMismatchError[] =
"\nwarning: Unicode Path checksum invalid\n";
+ static ZCONST char Far UFilenameTooLongTrunc[] =
+ "warning: filename too long (P1) -- truncating.\n";
#endif
@@ -1915,7 +1917,7 @@
Sets both local header and central header fields. Not terribly clever,
but it means that this procedure is only called in one place.
- 2014-12-05 SMS.
+ 2014-12-05 SMS. (oCERT.org report.) CVE-2014-8141.
Added checks to ensure that enough data are available before calling
makeint64() or makelong(). Replaced various sizeof() values with
simple ("4" or "8") constants. (The Zip64 structures do not depend
@@ -1947,9 +1949,10 @@
ef_len - EB_HEADSIZE));
break;
}
+
if (eb_id == EF_PKSZ64)
{
- int offset = EB_HEADSIZE;
+ unsigned offset = EB_HEADSIZE;
if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
{
@@ -2046,7 +2049,7 @@
}
if (eb_id == EF_UNIPATH) {
- int offset = EB_HEADSIZE;
+ unsigned offset = EB_HEADSIZE;
ush ULen = eb_len - 5;
ulg chksum = CRCVAL_INITIAL;
@@ -2504,16 +2507,17 @@
int state_dependent;
int wsize = 0;
int max_bytes = MB_CUR_MAX;
- char buf[9];
+ char buf[ MB_CUR_MAX+ 1]; /* ("+1" not really needed?) */
char *buffer = NULL;
char *local_string = NULL;
+ size_t buffer_size; /* CVE-2022-0529 */
for (wsize = 0; wide_string[wsize]; wsize++) ;
if (max_bytes < MAX_ESCAPE_BYTES)
max_bytes = MAX_ESCAPE_BYTES;
-
- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+ buffer_size = wsize * max_bytes + 1; /* Reused below. */
+ if ((buffer = (char *)malloc( buffer_size)) == NULL) {
return NULL;
}
@@ -2551,8 +2555,28 @@
} else {
/* no MB for this wide */
/* use escape for wide character */
- char *escape_string = wide_to_escape_string(wide_string[i]);
- strcat(buffer, escape_string);
+ size_t buffer_len;
+ size_t escape_string_len;
+ char *escape_string;
+ int err_msg = 0;
+
+ escape_string = wide_to_escape_string(wide_string[i]);
+ buffer_len = strlen( buffer);
+ escape_string_len = strlen( escape_string);
+
+ /* Append escape string, as space allows. */
+ /* 2022-07-18 SMS, et al. CVE-2022-0529 */
+ if (escape_string_len > buffer_size- buffer_len- 1)
+ {
+ escape_string_len = buffer_size- buffer_len- 1;
+ if (err_msg == 0)
+ {
+ err_msg = 1;
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString( UFilenameTooLongTrunc)));
+ }
+ }
+ strncat( buffer, escape_string, escape_string_len);
free(escape_string);
}
}
@@ -2604,9 +2628,18 @@
ZCONST char *utf8_string;
int escape_all;
{
- zwchar *wide = utf8_to_wide_string(utf8_string);
- char *loc = wide_to_local_string(wide, escape_all);
- free(wide);
+ zwchar *wide;
+ char *loc = NULL;
+
+ wide = utf8_to_wide_string( utf8_string);
+
+ /* 2022-07-25 SMS, et al. CVE-2022-0530 */
+ if (wide != NULL)
+ {
+ loc = wide_to_local_string( wide, escape_all);
+ free( wide);
+ }
+
return loc;
}
