Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831190 (CVE-2022-0529, CVE-2022-0530) - <app-arch/unzip-6.0_p27: multiple vulnerabilities
Summary: <app-arch/unzip-6.0_p27: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-0529, CVE-2022-0530
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugs.launchpad.net/ubuntu/+so...
Whiteboard: A2 [glsa?]
Keywords:
Depends on: 867352
Blocks:
  Show dependency tree
 
Reported: 2022-01-14 12:47 UTC by filip ambroz
Modified: 2022-12-26 08:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2022-01-14 12:47:30 UTC
During extraction of the attached zip archive via
```
unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV
```
a null pointer dereference is triggered and causes a SIGSEGV. The bug appears to be located in the code responsible for handling Unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors.

Bug was discovered using unzip 6.0-25 (which I belive is older version of Debian package).

URL: https://seclists.org/oss-sec/2022/q1/39

Files needed for reproduction: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/+attachment/5553357/+files/attachment.zip

Reproducible: Didn't try
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-10 23:08:25 UTC
CVE-2022-0530 (https://bugzilla.redhat.com/show_bug.cgi?id=2051395):

A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of an utf-8 string to a local string that leads to a segmentation fault. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.

Red Hat has seemingly made this bug semi-public without publicizing
details about a fix.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-10 23:09:21 UTC
CVE-2022-0529 (https://bugzilla.redhat.com/show_bug.cgi?id=2051402):

A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of wide string to local string that leads to a heap of out-of-bound writes. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Comment 3 Larry the Git Cow gentoo-dev 2022-08-25 02:20:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff42a923fb9b8ce5af167cc3032420d4a666307

commit bff42a923fb9b8ce5af167cc3032420d4a666307
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-25 02:18:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-25 02:19:14 +0000

    app-arch/unzip: add 6.0_p27
    
    Contains patches for CVE-2022-0529, CVE-2022-0530 (bug 831190) and
    for a unicode issue which *might* be CVE-2021-4217 (bug 866386).
    
    Bug: https://bugs.gentoo.org/866386
    Bug: https://bugs.gentoo.org/831190
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/unzip/Manifest             |  1 +
 app-arch/unzip/unzip-6.0_p27.ebuild | 93 +++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-18 19:52:19 UTC
Please cleanup
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-18 21:30:02 UTC
Deliberately not filing a GLSA yet as it's uncertain all of the outstanding vulnerabilities for this package are fixed.
Comment 6 Larry the Git Cow gentoo-dev 2022-12-26 08:35:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a73b8193b39630b9d17a4c66adde3dd0b7cefcd9

commit a73b8193b39630b9d17a4c66adde3dd0b7cefcd9
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-26 08:15:01 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-26 08:32:53 +0000

    app-arch/unzip: drop 6.0_p26
    
    Bug: https://bugs.gentoo.org/831190
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/unzip/Manifest             |  1 -
 app-arch/unzip/unzip-6.0_p26.ebuild | 88 -------------------------------------
 2 files changed, 89 deletions(-)