Ubuntu
unzip package

  1. Bug #1957077
  2. Activity log

Activity log for bug #1957077

Date Who What changed Old value New value Message
2022-01-11 12:33:32 Nils bug added bug
2022-01-11 12:33:32 Nils attachment added Please extract, this contains the crashing input besides other files helpful for reproduction. https://bugs.launchpad.net/bugs/1957077/+attachment/5553357/+files/attachment.zip
2022-01-11 12:35:10 Nils description SIGSEGV during processing of unicode string # Description During extraction of the attached zip archive via ``` unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV ``` a nullpointer dereference is triggered and causes a SIGSEGV. The bug appares to be located in the code responsible for handling unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors. For reproduction of the crash a script called ./reproduce.sh is provided alongside the crashing input. If you need further details, please do not hesitate to ask. # apt-show unzip Package: unzip Version: 6.0-25ubuntu1 Priority: optional Section: utils Origin: Ubuntu Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Original-Maintainer: Santiago Vila <sanvila@debian.org> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 593 kB Depends: libbz2-1.0, libc6 (>= 2.14) Suggests: zip Homepage: http://www.info-zip.org/UnZip.html Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop Download-Size: 169 kB APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages Description: De-archiver for .zip files # valgrind output ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430B0B: getZip64Data (process.c:1942) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430B44: getZip64Data (process.c:1950) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430ABF: getZip64Data (process.c:1937) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Use of uninitialised value of size 8 ==17079== at 0x41BD82: makeword (fileio.c:2440) ==17079== by 0x430AF2: getZip64Data (process.c:1939) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Use of uninitialised value of size 8 ==17079== at 0x41BD82: makeword (fileio.c:2440) ==17079== by 0x430AFD: getZip64Data (process.c:1940) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Invalid read of size 1 ==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x4311C9: getUnicodeData (process.c:2072) ==17079== by 0x41F045: do_string (fileio.c:2330) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==17079== ==17079== ==17079== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==17079== Access not within mapped region at address 0x0 ==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x4311C9: getUnicodeData (process.c:2072) ==17079== by 0x41F045: do_string (fileio.c:2330) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== If you believe this happened as a result of a stack ==17079== overflow in your program's main thread (unlikely but ==17079== possible), you can try to increase the size of the ==17079== main thread stack using the --main-stacksize= flag. ==17079== The main thread stack size used in this run was 8388608. ==17079== ==17079== HEAP SUMMARY: ==17079== in use at exit: 109,457 bytes in 6 blocks ==17079== total heap usage: 28 allocs, 22 frees, 118,125 bytes allocated ==17079== ==17079== LEAK SUMMARY: ==17079== definitely lost: 0 bytes in 0 blocks ==17079== indirectly lost: 0 bytes in 0 blocks ==17079== possibly lost: 0 bytes in 0 blocks ==17079== still reachable: 109,457 bytes in 6 blocks ==17079== suppressed: 0 bytes in 0 blocks ==17079== Rerun with --leak-check=full to see details of leaked memory ==17079== ==17079== For lists of detected and suppressed errors, rerun with: -s ==17079== ERROR SUMMARY: 39614 errors from 6 contexts (suppressed: 0 from 0) SIGSEGV during processing of unicode string # Description During extraction of the attached zip archive via ``` unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV ``` a nullpointer dereference is triggered and causes a SIGSEGV. The bug appares to be located in the code responsible for handling unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors. For reproduction of the crash a script called ./reproduce.sh is provided alongside the crashing input. If you need further details, please do not hesitate to ask. # apt-show unzip Package: unzip Version: 6.0-25ubuntu1 Priority: optional Section: utils Origin: Ubuntu Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Original-Maintainer: Santiago Vila <sanvila@debian.org> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 593 kB Depends: libbz2-1.0, libc6 (>= 2.14) Suggests: zip Homepage: http://www.info-zip.org/UnZip.html Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop Download-Size: 169 kB APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages Description: De-archiver for .zip files # valgrind output ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430B0B: getZip64Data (process.c:1942) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430B44: getZip64Data (process.c:1950) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430ABF: getZip64Data (process.c:1937) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Use of uninitialised value of size 8 ==17079== at 0x41BD82: makeword (fileio.c:2440) ==17079== by 0x430AF2: getZip64Data (process.c:1939) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Use of uninitialised value of size 8 ==17079== at 0x41BD82: makeword (fileio.c:2440) ==17079== by 0x430AFD: getZip64Data (process.c:1940) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Invalid read of size 1 ==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x4311C9: getUnicodeData (process.c:2072) ==17079== by 0x41F045: do_string (fileio.c:2330) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==17079== ==17079== ==17079== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==17079== Access not within mapped region at address 0x0 ==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x4311C9: getUnicodeData (process.c:2072) ==17079== by 0x41F045: do_string (fileio.c:2330) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== If you believe this happened as a result of a stack ==17079== overflow in your program's main thread (unlikely but ==17079== possible), you can try to increase the size of the ==17079== main thread stack using the --main-stacksize= flag. ==17079== The main thread stack size used in this run was 8388608. ==17079== ==17079== HEAP SUMMARY: ==17079== in use at exit: 109,457 bytes in 6 blocks ==17079== total heap usage: 28 allocs, 22 frees, 118,125 bytes allocated ==17079== ==17079== LEAK SUMMARY: ==17079== definitely lost: 0 bytes in 0 blocks ==17079== indirectly lost: 0 bytes in 0 blocks ==17079== possibly lost: 0 bytes in 0 blocks ==17079== still reachable: 109,457 bytes in 6 blocks ==17079== suppressed: 0 bytes in 0 blocks ==17079== Rerun with --leak-check=full to see details of leaked memory ==17079== ==17079== For lists of detected and suppressed errors, rerun with: -s ==17079== ERROR SUMMARY: 39614 errors from 6 contexts (suppressed: 0 from 0)
2022-01-13 09:36:31 Nils description SIGSEGV during processing of unicode string # Description During extraction of the attached zip archive via ``` unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV ``` a nullpointer dereference is triggered and causes a SIGSEGV. The bug appares to be located in the code responsible for handling unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors. For reproduction of the crash a script called ./reproduce.sh is provided alongside the crashing input. If you need further details, please do not hesitate to ask. # apt-show unzip Package: unzip Version: 6.0-25ubuntu1 Priority: optional Section: utils Origin: Ubuntu Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Original-Maintainer: Santiago Vila <sanvila@debian.org> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 593 kB Depends: libbz2-1.0, libc6 (>= 2.14) Suggests: zip Homepage: http://www.info-zip.org/UnZip.html Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop Download-Size: 169 kB APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages Description: De-archiver for .zip files # valgrind output ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430B0B: getZip64Data (process.c:1942) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430B44: getZip64Data (process.c:1950) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430ABF: getZip64Data (process.c:1937) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Use of uninitialised value of size 8 ==17079== at 0x41BD82: makeword (fileio.c:2440) ==17079== by 0x430AF2: getZip64Data (process.c:1939) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Use of uninitialised value of size 8 ==17079== at 0x41BD82: makeword (fileio.c:2440) ==17079== by 0x430AFD: getZip64Data (process.c:1940) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Invalid read of size 1 ==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x4311C9: getUnicodeData (process.c:2072) ==17079== by 0x41F045: do_string (fileio.c:2330) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==17079== ==17079== ==17079== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==17079== Access not within mapped region at address 0x0 ==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x4311C9: getUnicodeData (process.c:2072) ==17079== by 0x41F045: do_string (fileio.c:2330) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== If you believe this happened as a result of a stack ==17079== overflow in your program's main thread (unlikely but ==17079== possible), you can try to increase the size of the ==17079== main thread stack using the --main-stacksize= flag. ==17079== The main thread stack size used in this run was 8388608. ==17079== ==17079== HEAP SUMMARY: ==17079== in use at exit: 109,457 bytes in 6 blocks ==17079== total heap usage: 28 allocs, 22 frees, 118,125 bytes allocated ==17079== ==17079== LEAK SUMMARY: ==17079== definitely lost: 0 bytes in 0 blocks ==17079== indirectly lost: 0 bytes in 0 blocks ==17079== possibly lost: 0 bytes in 0 blocks ==17079== still reachable: 109,457 bytes in 6 blocks ==17079== suppressed: 0 bytes in 0 blocks ==17079== Rerun with --leak-check=full to see details of leaked memory ==17079== ==17079== For lists of detected and suppressed errors, rerun with: -s ==17079== ERROR SUMMARY: 39614 errors from 6 contexts (suppressed: 0 from 0) SIGSEGV during processing of Unicode string # Description During extraction of the attached zip archive via ``` unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV ``` a null pointer dereference is triggered and causes a SIGSEGV. The bug appears to be located in the code responsible for handling Unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors. For reproduction of the crash a script called ./reproduce.sh is provided alongside the crashing input. If you need further details, please do not hesitate to ask. # apt-show unzip Package: unzip Version: 6.0-25ubuntu1 Priority: optional Section: utils Origin: Ubuntu Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Original-Maintainer: Santiago Vila <sanvila@debian.org> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 593 kB Depends: libbz2-1.0, libc6 (>= 2.14) Suggests: zip Homepage: http://www.info-zip.org/UnZip.html Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop Download-Size: 169 kB APT-Manual-Installed: yes APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages Description: De-archiver for .zip files # valgrind output ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430B0B: getZip64Data (process.c:1942) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430B44: getZip64Data (process.c:1950) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Conditional jump or move depends on uninitialised value(s) ==17079== at 0x430ABF: getZip64Data (process.c:1937) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Use of uninitialised value of size 8 ==17079== at 0x41BD82: makeword (fileio.c:2440) ==17079== by 0x430AF2: getZip64Data (process.c:1939) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Use of uninitialised value of size 8 ==17079== at 0x41BD82: makeword (fileio.c:2440) ==17079== by 0x430AFD: getZip64Data (process.c:1940) ==17079== by 0x41E687: do_string (fileio.c:2314) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Uninitialised value was created by a heap allocation ==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x41E603: do_string (fileio.c:2303) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== ==17079== Invalid read of size 1 ==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x4311C9: getUnicodeData (process.c:2072) ==17079== by 0x41F045: do_string (fileio.c:2330) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==17079== ==17079== ==17079== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==17079== Access not within mapped region at address 0x0 ==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==17079== by 0x4311C9: getUnicodeData (process.c:2072) ==17079== by 0x41F045: do_string (fileio.c:2330) ==17079== by 0x40D390: extract_or_test_files (extract.c:658) ==17079== by 0x42F1FB: do_seekable (process.c:994) ==17079== by 0x42B4E5: process_zipfiles (process.c:401) ==17079== by 0x4033E2: unzip (unzip.c:1278) ==17079== by 0x48970B2: (below main) (libc-start.c:308) ==17079== If you believe this happened as a result of a stack ==17079== overflow in your program's main thread (unlikely but ==17079== possible), you can try to increase the size of the ==17079== main thread stack using the --main-stacksize= flag. ==17079== The main thread stack size used in this run was 8388608. ==17079== ==17079== HEAP SUMMARY: ==17079== in use at exit: 109,457 bytes in 6 blocks ==17079== total heap usage: 28 allocs, 22 frees, 118,125 bytes allocated ==17079== ==17079== LEAK SUMMARY: ==17079== definitely lost: 0 bytes in 0 blocks ==17079== indirectly lost: 0 bytes in 0 blocks ==17079== possibly lost: 0 bytes in 0 blocks ==17079== still reachable: 109,457 bytes in 6 blocks ==17079== suppressed: 0 bytes in 0 blocks ==17079== Rerun with --leak-check=full to see details of leaked memory ==17079== ==17079== For lists of detected and suppressed errors, rerun with: -s ==17079== ERROR SUMMARY: 39614 errors from 6 contexts (suppressed: 0 from 0)
2022-01-14 10:59:36 Nils information type Private Security Public Security
2022-01-14 13:42:45 Nils attachment removed Please extract, this contains the crashing input besides other files helpful for reproduction. https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/+attachment/5553357/+files/attachment.zip
2022-01-14 13:44:32 Nils attachment added attachment.zip https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/+attachment/5554349/+files/attachment.zip
2022-01-16 19:26:28 wicked bug added subscriber wicked
2022-01-17 17:22:03 Nils attachment added 0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/+attachment/5554956/+files/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
2022-01-17 20:18:58 Ubuntu Foundations Team Bug Bot tags patch
2022-01-17 20:19:03 Ubuntu Foundations Team Bug Bot bug added subscriber Ubuntu Review Team
2022-01-28 04:57:43 Salvatore Bonaccorso bug watch added https://bugzilla.redhat.com/show_bug.cgi?id=2044583
2022-01-28 04:57:43 Salvatore Bonaccorso cve linked 2021-4217
2022-03-11 18:56:31 Seth Arnold unzip (Ubuntu): status New Confirmed
2022-03-15 09:22:34 Sebastien Bacher bug added subscriber Ubuntu Sponsors Team
2022-04-11 23:26:07 Mathew Hodson unzip (Ubuntu): importance Undecided Low
2022-10-13 09:39:19 Launchpad Janitor unzip (Ubuntu): status Confirmed Fix Released
2022-10-13 09:39:19 Launchpad Janitor cve linked 2022-0529
2022-10-13 09:39:19 Launchpad Janitor cve linked 2022-0530
2022-10-13 09:39:20 Launchpad Janitor unzip (Ubuntu): status Confirmed Fix Released