Comment 1 Sandipan Roy 2022-02-07 08:00:26 UTC

Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 2051397]

Comment 6 Salvatore Bonaccorso 2022-02-12 10:10:22 UTC

Hi,

The referenced bug is not accessible, can you share details on this CVE?

Regards, Salvatore

Comment 7 Sandipan Roy 2022-02-14 09:54:43 UTC

Hey Nils,

Can you add your flaw and POC files to this bug as public?

Thanks.

Comment 8 Nils Bars 2022-02-14 09:59:12 UTC

Created attachment 1860944 [details] Reproduction scripts and bug triggering input.

SIGSEGV during the conversion of an utf-8 string to a local string

Description

During extraction of the attached zip archive via ``` unzip $PWD/testcase ``` a nullpointer dereference is triggered and causes a segmentation fault (SIGSEGV). The bug appears to be located in the code responsible for handling the conversion of an utf-8 string to a local string. A possible fix would be to check in the function `utf8_to_local_string` whether the call to `utf8_to_wide_string` returns NULL and to handle the situation accordingly.

This bug allows an attacker to perform a denial of service and possibly opens up other attack vectors.

To reproduce the crash, we provide scripts alongside the crashing input:

• ./reproduce-fedora.sh: Reproduce crash via a Fedora 35 docker container
• ./reproduce-ubuntu.sh: Reproduce crash via a Ubuntu 20.04 docker container

If you need further details, we are happy to assist where possible.

yum info unzip

Last metadata expiration check: 0:04:07 ago on Mon Jan 31 12:39:57 2022. Installed Packages Name : unzip Version : 6.0 Release : 53.fc35 Architecture : x86_64 Size : 385 k Source : unzip-6.0-53.fc35.src.rpm Repository : @System From repo : fedora Summary : A utility for unpacking zip files URL : http://www.info-zip.org/UnZip.html License : BSD Description : The unzip utility is used to list, test, or extract files from a zip : archive. Zip archives are commonly found on MS-DOS systems. The zip : utility, included in the zip package, creates zip archives. Zip and : unzip are both compatible with archives created by PKWARE®’s PKZIP : for MS-DOS, but the programs’ options and default behaviors do differ : in some respects. : : Install the unzip package if you need to list, test or extract files from : a zip archive.

valgrind fedora

[+] Running unzip /testcase ==1== Memcheck, a memory error detector ==1== Copyright © 2002-2017, and GNU GPL’d, by Julian Seward et al. ==1== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==1== Command: unzip /testcase ==1== Archive: /testcase warning [/testcase]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [/testcase]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating… ==1== Invalid read of size 8 ==1== at 0x10CB55: UnknownInlinedFun (process.c:2503) ==1== by 0x10CB55: UnknownInlinedFun (process.c:2600) ==1== by 0x10CB55: do_string.part.0.cold (fileio.c:2361) ==1== by 0x118650: UnknownInlinedFun (fileio.c:2041) ==1== by 0x118650: extract_or_test_entrylist (extract.c:1377) ==1== by 0x11A1F1: extract_or_test_files (extract.c:742) ==1== by 0x1253D6: do_seekable.lto_priv.0 (process.c:994) ==1== by 0x10E51E: UnknownInlinedFun (process.c:401) ==1== by 0x10E51E: UnknownInlinedFun (unzip.c:1279) ==1== by 0x10E51E: main (unzip.c:742) ==1== Address 0x0 is not stack’d, malloc’d or (recently) free’d ==1== error: zipfile probably corrupt (segmentation violation) ==1== ==1== HEAP SUMMARY: ==1== in use at exit: 80,290 bytes in 8 blocks ==1== total heap usage: 22 allocs, 14 frees, 86,257 bytes allocated ==1== ==1== LEAK SUMMARY: ==1== definitely lost: 0 bytes in 0 blocks ==1== indirectly lost: 0 bytes in 0 blocks ==1== possibly lost: 0 bytes in 0 blocks ==1== still reachable: 80,290 bytes in 8 blocks ==1== suppressed: 0 bytes in 0 blocks ==1== Rerun with --leak-check=full to see details of leaked memory ==1== ==1== For lists of detected and suppressed errors, rerun with: -s ==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) [+] Dropping into shell. Malformed input is located at /testcase

apt-show unzip

Package: unzip Version: 6.0-25ubuntu1 Priority: optional Section: utils Origin: Ubuntu Maintainer: Ubuntu Developers <[email protected]> Original-Maintainer: Santiago Vila <[email protected]> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 593 kB Depends: libbz2-1.0, libc6 (>= 2.14) Suggests: zip Homepage: http://www.info-zip.org/UnZip.html Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop Download-Size: 169 kB APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages Description: De-archiver for .zip files

valgrind ubuntu

==1== Memcheck, a memory error detector ==1== Copyright © 2002-2017, and GNU GPL’d, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: unzip /testcase ==1== Archive: /testcase warning [/testcase]: 16 extra bytes at beginning or within zipfile (attempting to process anyway) error [/testcase]: reported length of central directory is -16 bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1 zipfile?). Compensating… ==1== Invalid read of size 8 ==1== at 0x11E5CD: wide_to_local_string (process.c:2511) ==1== by 0x11E800: utf8_to_local_string (process.c:2608) ==1== by 0x117D50: do_string (fileio.c:2362) ==1== by 0x111EE8: extract_or_test_entrylist (extract.c:1376) ==1== by 0x114E16: extract_or_test_files (extract.c:741) ==1== by 0x11C830: do_seekable (process.c:994) ==1== by 0x11D796: process_zipfiles (process.c:401) ==1== by 0x10EB36: unzip (unzip.c:1278) ==1== by 0x48890B2: (below main) (libc-start.c:308) ==1== Address 0x0 is not stack’d, malloc’d or (recently) free’d ==1== error: zipfile probably corrupt (segmentation violation) ==1== ==1== HEAP SUMMARY: ==1== in use at exit: 80,290 bytes in 8 blocks ==1== total heap usage: 22 allocs, 14 frees, 86,257 bytes allocated ==1== ==1== LEAK SUMMARY: ==1== definitely lost: 0 bytes in 0 blocks ==1== indirectly lost: 0 bytes in 0 blocks ==1== possibly lost: 0 bytes in 0 blocks ==1== still reachable: 80,290 bytes in 8 blocks ==1== suppressed: 0 bytes in 0 blocks ==1== Rerun with --leak-check=full to see details of leaked memory ==1== ==1== For lists of detected and suppressed errors, rerun with: -s ==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) [+] Dropping into shell. Malformed input is located at /testcase