meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
From: Nils Bars <nils.bars@t-online.de>
Date: Mon, 17 Jan 2022 16:53:16 +0000
Subject: [PATCH] Fix null pointer dereference and use of uninitialized data

This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
to read as many bytes as indicated by the extra field length attribute.
Furthermore, this fixes a null pointer dereference if an archive contains an
`EF_UNIPATH` extra field but does not have a filename set.
---
 fileio.c  | 5 ++++-
 process.c | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-) 
---

Patch from:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
Regenerated to apply without offsets.

CVE: CVE-2021-4217

Upstream-Status: Pending [infozip upstream inactive]

Signed-off-by: Joe Slater <joe.slater@windriver.com>


diff --git a/fileio.c b/fileio.c
index 14460f3..1dc319e 100644
--- a/fileio.c
+++ b/fileio.c
@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option)   /* return PK-type error code */
             seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
                       (G.inptr-G.inbuf) + length);
         } else {
-            if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+            unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
+            if (bytes_read == 0)
                 return PK_EOF;
+            if (bytes_read != length)
+                return PK_ERR;
             /* Looks like here is where extra fields are read */
             if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
             {
diff --git a/process.c b/process.c
index 5f8f6c6..de843a5 100644
--- a/process.c
+++ b/process.c
@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
           G.unipath_checksum = makelong(offset + ef_buf);
           offset += 4;
 
+          if (!G.filename_full) {
+            /* Check if we have a unicode extra section but no filename set */
+            return PK_ERR;
+          }
+
           /*
            * Compute 32-bit crc
            */
-
           chksum = crc32(chksum, (uch *)(G.filename_full),
                          strlen(G.filename_full));
 
-- 
2.32.0