During extraction of the attached zip archive via ``` unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV ``` a null pointer dereference is triggered and causes a SIGSEGV. The bug appears to be located in the code responsible for handling Unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors. Bug was discovered using unzip 6.0-25 (which I belive is older version of Debian package). URL: https://seclists.org/oss-sec/2022/q1/39 Files needed for reproduction: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/+attachment/5553357/+files/attachment.zip Reproducible: Didn't try
CVE-2022-0530 (https://bugzilla.redhat.com/show_bug.cgi?id=2051395): A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of an utf-8 string to a local string that leads to a segmentation fault. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. Red Hat has seemingly made this bug semi-public without publicizing details about a fix.
CVE-2022-0529 (https://bugzilla.redhat.com/show_bug.cgi?id=2051402): A flaw was found in unzip 6.0. The vulnerability occurs during the conversion of wide string to local string that leads to a heap of out-of-bound writes. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bff42a923fb9b8ce5af167cc3032420d4a666307 commit bff42a923fb9b8ce5af167cc3032420d4a666307 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-25 02:18:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-25 02:19:14 +0000 app-arch/unzip: add 6.0_p27 Contains patches for CVE-2022-0529, CVE-2022-0530 (bug 831190) and for a unicode issue which *might* be CVE-2021-4217 (bug 866386). Bug: https://bugs.gentoo.org/866386 Bug: https://bugs.gentoo.org/831190 Signed-off-by: Sam James <sam@gentoo.org> app-arch/unzip/Manifest | 1 + app-arch/unzip/unzip-6.0_p27.ebuild | 93 +++++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+)
Please cleanup
Deliberately not filing a GLSA yet as it's uncertain all of the outstanding vulnerabilities for this package are fixed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a73b8193b39630b9d17a4c66adde3dd0b7cefcd9 commit a73b8193b39630b9d17a4c66adde3dd0b7cefcd9 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-26 08:15:01 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-26 08:32:53 +0000 app-arch/unzip: drop 6.0_p26 Bug: https://bugs.gentoo.org/831190 Signed-off-by: Sam James <sam@gentoo.org> app-arch/unzip/Manifest | 1 - app-arch/unzip/unzip-6.0_p26.ebuild | 88 ------------------------------------- 2 files changed, 89 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d44fbd3569e6b230de77614e030e307f7362fbeb commit d44fbd3569e6b230de77614e030e307f7362fbeb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-30 09:22:56 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-30 09:23:35 +0000 [ GLSA 202310-17 ] UnZip: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/831190 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-17.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
