SIGSEGV during processing of unicode string

Bug #1957077 reported by Nils
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unzip (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

SIGSEGV during processing of Unicode string

# Description
During extraction of the attached zip archive via
```
unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV
```
a null pointer dereference is triggered and causes a SIGSEGV. The bug appears to be located in the code responsible for handling Unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors.

For reproduction of the crash a script called ./reproduce.sh is provided alongside the crashing input. If you need further details, please do not hesitate to ask.

# apt-show unzip
Package: unzip
Version: 6.0-25ubuntu1
Priority: optional
Section: utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Santiago Vila <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 593 kB
Depends: libbz2-1.0, libc6 (>= 2.14)
Suggests: zip
Homepage: http://www.info-zip.org/UnZip.html
Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop
Download-Size: 169 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
Description: De-archiver for .zip files

# valgrind output
==17079== Conditional jump or move depends on uninitialised value(s)
==17079== at 0x430B0B: getZip64Data (process.c:1942)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Conditional jump or move depends on uninitialised value(s)
==17079== at 0x430B44: getZip64Data (process.c:1950)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Conditional jump or move depends on uninitialised value(s)
==17079== at 0x430ABF: getZip64Data (process.c:1937)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Use of uninitialised value of size 8
==17079== at 0x41BD82: makeword (fileio.c:2440)
==17079== by 0x430AF2: getZip64Data (process.c:1939)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Use of uninitialised value of size 8
==17079== at 0x41BD82: makeword (fileio.c:2440)
==17079== by 0x430AFD: getZip64Data (process.c:1940)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Invalid read of size 1
==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x4311C9: getUnicodeData (process.c:2072)
==17079== by 0x41F045: do_string (fileio.c:2330)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==17079==
==17079==
==17079== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==17079== Access not within mapped region at address 0x0
==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x4311C9: getUnicodeData (process.c:2072)
==17079== by 0x41F045: do_string (fileio.c:2330)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== If you believe this happened as a result of a stack
==17079== overflow in your program's main thread (unlikely but
==17079== possible), you can try to increase the size of the
==17079== main thread stack using the --main-stacksize= flag.
==17079== The main thread stack size used in this run was 8388608.
==17079==
==17079== HEAP SUMMARY:
==17079== in use at exit: 109,457 bytes in 6 blocks
==17079== total heap usage: 28 allocs, 22 frees, 118,125 bytes allocated
==17079==
==17079== LEAK SUMMARY:
==17079== definitely lost: 0 bytes in 0 blocks
==17079== indirectly lost: 0 bytes in 0 blocks
==17079== possibly lost: 0 bytes in 0 blocks
==17079== still reachable: 109,457 bytes in 6 blocks
==17079== suppressed: 0 bytes in 0 blocks
==17079== Rerun with --leak-check=full to see details of leaked memory
==17079==
==17079== For lists of detected and suppressed errors, rerun with: -s
==17079== ERROR SUMMARY: 39614 errors from 6 contexts (suppressed: 0 from 0)

Tags: patch

CVE References

Nils (nils-bars)
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for reporting this issue - have you tried reporting this to the upstream developers at all? I am not sure if it is still maintained but historically issues in UnZip were wanted to be reported via http://infozip.sourceforge.net/zip-bug.html - if you have not already could you please try reporting this there? If you do get a response, please let us know as well. Thanks.

Revision history for this message
Nils (nils-bars) wrote :

Hello Alex,

since the last release on http://infozip.sourceforge.net is from 2009 and the unzip package in the Ubuntu repository is bundled with a bunch of more recent patches for different CVEs, I strongly believe the upstream project is abandoned. Nevertheless, I reported the bug via the URL you provided to me. I believe the person who created the different CVE patches should know the best how to proceed with this report?

Thanks!

description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks - it looks like previous issues have ended up just going to the oss-security mailing list:

https://www.openwall.com/lists/oss-security/2016/12/05/13
https://www.openwall.com/lists/oss-security/2015/09/07/4
https://www.openwall.com/lists/oss-security/2014/11/03/5
https://www.openwall.com/lists/oss-security/2014/11/02/2

Perhaps it is best to just make this public and request a CVE be assigned there - that way all distros etc can be notified and you can get appropriate credit etc?

Nils (nils-bars)
information type: Private Security → Public Security
Revision history for this message
Nils (nils-bars) wrote :

The attached attachment.zip file contains the bug triggering payload and a script to reproduce the bug via a prebuilt docker image.

Revision history for this message
wicked (dtwicked) wrote :

There is no patch for this issue?

Revision history for this message
Nils (nils-bars) wrote :

I attached a fix for the reported issue. However, since I am not familiar with unzip, someone should review it. Thanks!

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Salvatore Bonaccorso (carnil) wrote :

According to https://bugzilla.redhat.com/show_bug.cgi?id=2044583 this is CVE-2021-4217.

Changed in unzip (Ubuntu):
status: New → Confirmed
Mathew Hodson (mhodson)
Changed in unzip (Ubuntu):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-26ubuntu3.1

---------------
unzip (6.0-26ubuntu3.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference in unzip (LP: #1957077)
    - debian/patches/CVE-2021-4217.patch: Fix null pointer dereference and use
      of uninitialized data
    - CVE-2021-4217
  * SECURITY UPDATE: Out-of-bound write vulnerability in unzip
    - debian/patches/CVE-2022-0529.patch: Fix wide string conversion in
      process.c
    - debian/patches/CVE-2022-0530.patch: Add missing error handling in
      fileio.c and process.c
    - CVE-2022-0529
    - CVE-2022-0530

 -- Nishit Majithia <email address hidden> Fri, 07 Oct 2022 22:51:05 +0530

Changed in unzip (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-25ubuntu1.1

---------------
unzip (6.0-25ubuntu1.1) focal-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference in unzip (LP: #1957077)
    - debian/patches/CVE-2021-4217.patch: Fix null pointer dereference and use
      of uninitialized data
    - CVE-2021-4217
  * SECURITY UPDATE: Out-of-bound write vulnerability in unzip
    - debian/patches/CVE-2022-0529.patch: Fix wide string conversion in
      process.c
    - debian/patches/CVE-2022-0530.patch: Add missing error handling in
      fileio.c and process.c
    - CVE-2022-0529
    - CVE-2022-0530

 -- Nishit Majithia <email address hidden> Fri, 07 Oct 2022 22:39:47 +0530

Changed in unzip (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.