aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2022-08-08 19:13:07 +0300
committerEfraim Flashner <efraim@flashner.co.il>2022-08-08 19:21:45 +0300
commit5e009a88746bf3c20b29626a8671055c47a42bd0 (patch)
tree514012154dfb0cc5a7566abfa42979b284ed01ea
parentb8424f0cddd6be29a51b778790dd5a4ca10007c4 (diff)
downloadguix-5e009a88746bf3c20b29626a8671055c47a42bd0.tar.gz
guix-5e009a88746bf3c20b29626a8671055c47a42bd0.zip
gnu: unzip: Patch for CVE-2022-0529 and CVE-2022-0530.
* gnu/packages/compression.scm (unzip)[replacement]: New field. (unzip/fixed): New variable. * gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/compression.scm10
-rw-r--r--gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch177
3 files changed, 188 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index a837d16e34..ac40640658 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1900,6 +1900,7 @@ dist_patch_DATA = \
%D%/packages/patches/unzip-CVE-2014-9636.patch \
%D%/packages/patches/unzip-CVE-2015-7696.patch \
%D%/packages/patches/unzip-CVE-2015-7697.patch \
+ %D%/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch \
%D%/packages/patches/unzip-allow-greater-hostver-values.patch \
%D%/packages/patches/unzip-attribs-overflow.patch \
%D%/packages/patches/unzip-overflow-on-invalid-input.patch \
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index e5bc3813c5..6854bcafe4 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1768,6 +1768,7 @@ Compression ratios of 2:1 to 3:1 are common for text files.")
(package (inherit zip)
(name "unzip")
(version "6.0")
+ (replacement unzip/fixed)
(source
(origin
(method url-fetch)
@@ -1850,6 +1851,15 @@ recreates the stored directory structure by default.")
(license (license:non-copyleft "file://LICENSE"
"See LICENSE in the distribution."))))
+(define unzip/fixed
+ (package (inherit unzip)
+ (source
+ (origin
+ (inherit (package-source unzip))
+ (patches (append
+ (origin-patches (package-source unzip))
+ (search-patches "unzip-CVE-2022-0529+CVE-2022-0530.patch")))))))
+
(define-public ziptime
(let ((commit "2a5bc9dfbf7c6a80e5f7cb4dd05b4036741478bc")
(revision "0"))
diff --git a/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch b/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch
new file mode 100644
index 0000000000..e3fe2314ac
--- /dev/null
+++ b/gnu/packages/patches/unzip-CVE-2022-0529+CVE-2022-0530.patch
@@ -0,0 +1,177 @@
+https://nvd.nist.gov/vuln/detail/CVE-2022-0529
+https://nvd.nist.gov/vuln/detail/CVE-2022-0530
+https://sources.debian.org/src/unzip/6.0-27/debian/patches/28-cve-2022-0529-and-cve-2022-0530.patch/
+
+From: Steven M. Schweda <sms@antinode.info>
+Subject: Fix for CVE-2022-0529 and CVE-2022-0530
+Bug-Debian: https://bugs.debian.org/1010355
+X-Debian-version: 6.0-27
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -171,8 +171,10 @@
+ static ZCONST char Far FilenameTooLongTrunc[] =
+ "warning: filename too long--truncating.\n";
+ #ifdef UNICODE_SUPPORT
++ static ZCONST char Far UFilenameCorrupt[] =
++ "error: Unicode filename corrupt.\n";
+ static ZCONST char Far UFilenameTooLongTrunc[] =
+- "warning: Converted unicode filename too long--truncating.\n";
++ "warning: Converted Unicode filename too long--truncating.\n";
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+ "warning: extra field too long (%d). Ignoring...\n";
+@@ -2361,16 +2363,30 @@
+ /* convert UTF-8 to local character set */
+ fn = utf8_to_local_string(G.unipath_filename,
+ G.unicode_escape_all);
+- /* make sure filename is short enough */
+- if (strlen(fn) >= FILNAMSIZ) {
+- fn[FILNAMSIZ - 1] = '\0';
++
++ /* 2022-07-22 SMS, et al. CVE-2022-0530
++ * Detect conversion failure, emit message.
++ * Continue with unconverted name.
++ */
++ if (fn == NULL)
++ {
+ Info(slide, 0x401, ((char *)slide,
+- LoadFarString(UFilenameTooLongTrunc)));
+- error = PK_WARN;
++ LoadFarString(UFilenameCorrupt)));
++ error = PK_ERR;
++ }
++ else
++ {
++ /* make sure filename is short enough */
++ if (strlen(fn) >= FILNAMSIZ) {
++ fn[FILNAMSIZ - 1] = '\0';
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(UFilenameTooLongTrunc)));
++ error = PK_WARN;
++ }
++ /* replace filename with converted UTF-8 */
++ strcpy(G.filename, fn);
++ free(fn);
+ }
+- /* replace filename with converted UTF-8 */
+- strcpy(G.filename, fn);
+- free(fn);
+ }
+ # endif /* UNICODE_WCHAR */
+ if (G.unipath_filename != G.filename_full)
+--- a/process.c
++++ b/process.c
+@@ -222,6 +222,8 @@
+ "\nwarning: Unicode Path version > 1\n";
+ static ZCONST char Far UnicodeMismatchError[] =
+ "\nwarning: Unicode Path checksum invalid\n";
++ static ZCONST char Far UFilenameTooLongTrunc[] =
++ "warning: filename too long (P1) -- truncating.\n";
+ #endif
+
+
+@@ -1915,7 +1917,7 @@
+ Sets both local header and central header fields. Not terribly clever,
+ but it means that this procedure is only called in one place.
+
+- 2014-12-05 SMS.
++ 2014-12-05 SMS. (oCERT.org report.) CVE-2014-8141.
+ Added checks to ensure that enough data are available before calling
+ makeint64() or makelong(). Replaced various sizeof() values with
+ simple ("4" or "8") constants. (The Zip64 structures do not depend
+@@ -1947,9 +1949,10 @@
+ ef_len - EB_HEADSIZE));
+ break;
+ }
++
+ if (eb_id == EF_PKSZ64)
+ {
+- int offset = EB_HEADSIZE;
++ unsigned offset = EB_HEADSIZE;
+
+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
+ {
+@@ -2046,7 +2049,7 @@
+ }
+ if (eb_id == EF_UNIPATH) {
+
+- int offset = EB_HEADSIZE;
++ unsigned offset = EB_HEADSIZE;
+ ush ULen = eb_len - 5;
+ ulg chksum = CRCVAL_INITIAL;
+
+@@ -2504,16 +2507,17 @@
+ int state_dependent;
+ int wsize = 0;
+ int max_bytes = MB_CUR_MAX;
+- char buf[9];
++ char buf[ MB_CUR_MAX+ 1]; /* ("+1" not really needed?) */
+ char *buffer = NULL;
+ char *local_string = NULL;
++ size_t buffer_size; /* CVE-2022-0529 */
+
+ for (wsize = 0; wide_string[wsize]; wsize++) ;
+
+ if (max_bytes < MAX_ESCAPE_BYTES)
+ max_bytes = MAX_ESCAPE_BYTES;
+-
+- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
++ buffer_size = wsize * max_bytes + 1; /* Reused below. */
++ if ((buffer = (char *)malloc( buffer_size)) == NULL) {
+ return NULL;
+ }
+
+@@ -2551,8 +2555,28 @@
+ } else {
+ /* no MB for this wide */
+ /* use escape for wide character */
+- char *escape_string = wide_to_escape_string(wide_string[i]);
+- strcat(buffer, escape_string);
++ size_t buffer_len;
++ size_t escape_string_len;
++ char *escape_string;
++ int err_msg = 0;
++
++ escape_string = wide_to_escape_string(wide_string[i]);
++ buffer_len = strlen( buffer);
++ escape_string_len = strlen( escape_string);
++
++ /* Append escape string, as space allows. */
++ /* 2022-07-18 SMS, et al. CVE-2022-0529 */
++ if (escape_string_len > buffer_size- buffer_len- 1)
++ {
++ escape_string_len = buffer_size- buffer_len- 1;
++ if (err_msg == 0)
++ {
++ err_msg = 1;
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString( UFilenameTooLongTrunc)));
++ }
++ }
++ strncat( buffer, escape_string, escape_string_len);
+ free(escape_string);
+ }
+ }
+@@ -2604,9 +2628,18 @@
+ ZCONST char *utf8_string;
+ int escape_all;
+ {
+- zwchar *wide = utf8_to_wide_string(utf8_string);
+- char *loc = wide_to_local_string(wide, escape_all);
+- free(wide);
++ zwchar *wide;
++ char *loc = NULL;
++
++ wide = utf8_to_wide_string( utf8_string);
++
++ /* 2022-07-25 SMS, et al. CVE-2022-0530 */
++ if (wide != NULL)
++ {
++ loc = wide_to_local_string( wide, escape_all);
++ free( wide);
++ }
++
+ return loc;
+ }
+