zip fails when filenames contain unicode characters

Bug #2062535 reported by Romwriter
148
This bug affects 28 people
Affects Status Importance Assigned to Milestone
zip (Ubuntu)
Status tracked in Plucky
Noble
Fix Released
Undecided
Shengjing Zhu
Oracular
Fix Released
Undecided
Shengjing Zhu
Plucky
Fix Released
High
Shengjing Zhu

Bug Description

[ Impact ]

 * zip in noble is built with _FORTIFY_SOURCE=3 and the code is bug with buffer overflow when filename contains non ascii characters. So it crashes at runtime.

[ Test Plan ]

 * install zip from proposed
 * run following commands:
   touch ä
   zip x.zip ä
 * It shouldn't crash.

[ Where problems could occur ]

 * The patch has been included in fedora 40 and tested there.
 * If the patch is still wrong to calculate the buffer size, zip continues to crash.

[ Other Info ]

 * None

[Original description]

Steps to reproduce: command line
$ touch ä
$ zip x.zip ä

will result in

> *** buffer overflow detected ***: terminated
>
>
> zip error: Interrupted (aborting)

cf. https://bugzilla.redhat.com/show_bug.cgi?id=2165653

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: zip 3.0-13build1
Uname: Linux 6.8.6-060806-generic x86_64
ApportVersion: 2.28.1-0ubuntu1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: XFCE
Date: Fri Apr 19 12:34:09 2024
SourcePackage: zip
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Revision history for this message
Romwriter (romwriter) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in zip (Ubuntu):
status: New → Confirmed
Revision history for this message
iroli (roland-lezuo) wrote :

makes zip unusable for files containing non-ascii characters (i.e. many other locales)

Revision history for this message
Ferdinand Haider (haider) wrote :

Same as Bug #2066991

Changed in zip (Ubuntu):
importance: Undecided → High
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks, indeed it has issue with encoding, Fedora has a patch for it

https://src.fedoraproject.org/rpms/zip/raw/rawhide/f/buffer_overflow.patch

which I confirmed fixes the issue described in the report

Changed in zip (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Jg-jguk (jg-jguk) wrote :

Did the patch get integrated in Ubuntu package? Perhaps info-zip are no longer maintaining?

Revision history for this message
Paul Marquess (pmqs) wrote :

info-zip (which is very slowly starting a reboot) already has the fedora change in place.

Revision history for this message
Jose Gómez (adler-dreamcoder) wrote :

The latest zip in Debian seems to fix the issue: https://packages.debian.org/trixie/zip

Revision history for this message
Jose Gómez (adler-dreamcoder) wrote :

Fixed version is 3.0-14

Revision history for this message
Stefan (steffel) wrote :

I can't confirm that is is fixed with 3.0-14 from Oracular (http://de.archive.ubuntu.com/ubuntu/pool/main/z/zip/zip_3.0-14_amd64.deb).

$ sudo dpkg -i zip_3.0-14_amd64.deb
(Reading database ... 1209975 files and directories currently installed.)
Preparing to unpack zip_3.0-14_amd64.deb ...
Unpacking zip (3.0-14) over (3.0-13build1) ...
Setting up zip (3.0-14) ...
Processing triggers for man-db (2.10.2-1) ...

$ zip test.zip 123ö.txt
*** buffer overflow detected ***: terminated

zip error: Interrupted (aborting)

Revision history for this message
Stefan (steffel) wrote :

I downloaded the sources from Oracular (https://packages.ubuntu.com/source/oracular/zip), applied patch from Fedora (https://src.fedoraproject.org/rpms/zip/raw/rawhide/f/buffer_overflow.patch, Red Hat has the same - https://bugzilla.redhat.com/attachment.cgi?id=1961637&action=diff) and built the package.

The bug is gone.

I attached a debdiff for that (without increased changelog).

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "debdiff-buffer-overflow-patch-3.0-14.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Jānis Kangarooo (kangarooo) wrote :

How to apply bug fix on ubuntu 24.04?
When it would be implemented?

Revision history for this message
Jānis Kangarooo (kangarooo) wrote :

Ok i found alternative 7z that has zip options
7z a -mx=0 zipname.zip filenameorfolder

Revision history for this message
Sam Darwin (samueldarwin) wrote :

There is a stackoverflow post and a Bug Bot comment from this launchpad thread saying 3.0-14 contains the solution.

However, the problem continues on 3.0-14.

wget http://launchpadlibrarian.net/740831076/zip_3.0-14_amd64.deb && sudo dpkg -i zip_3.0-14_amd64.deb && rm zip_3.0-14_amd64.deb

*** buffer overflow detected ***: terminated
zip error: Interrupted (aborting)

It conceivable that launchpadlibrarian.net has the wrong file. Or else a fix is still needed.

Revision history for this message
Cesar Augusto Calad Hernandez (sgi1e) wrote :

Question, for the ARM64 architecture, what is the estimated date for when it will be ready?
PS: My machine is a Raspberry PI 5

Revision history for this message
Lee (digitding) wrote : zip on ubuntu 24.04 system

I have no idea when the fix will be available. Currently for my systems,
I have substituted the zip program which came with Ubuntu 22.04.

Lee

Revision history for this message
nh2 (nh2) wrote :

On an Ubuntu LTS release the zip utility is broken already for 6 months?

This has importance "high" and is part of the "main" repo, shouldn't a fix be rolled out to 22.04?

Revision history for this message
Apoorv Parle (apparle) wrote :

Indeed it is surprising that zip utility is broken on an LTS release for this long and there's not even a fix.

Revision history for this message
Stefan (steffel) wrote :

And the effort ist very low as there is already a tested debdiff available (see #11), that just need to be applied, built and released.

Revision history for this message
Rgpublic (rgpublic) wrote :

Sigh, unfortunately it's sufficient if there's one single Unicode file in a huge tree of thousands of folders and files to bring it down. So zip is basically broken and unusable on 24.04 LTS. After delivering a broken Ceph version with Ubuntu and not fixing it for half a year, now there's even a basic command-line tool like ZIP that can't be relied upon properly :-(

A workaround for now - in case anyone finds it useful - is:

wget http://de.archive.ubuntu.com/ubuntu/pool/main/z/zip/zip_3.0-12build2_amd64.deb
dpkg -i zip_3.0-12build2_amd64.deb

Revision history for this message
Shengjing Zhu (zhsj) wrote :

looks like this is caused by _FORTIFY_SOURCE=3 which is introduced in noble.

Changed in zip (Ubuntu Noble):
status: New → Confirmed
Changed in zip (Ubuntu Oracular):
status: New → Confirmed
Shengjing Zhu (zhsj)
Changed in zip (Ubuntu Plucky):
assignee: nobody → Shengjing Zhu (zhsj)
Revision history for this message
Jg-jguk (jg-jguk) wrote :

It's broken because the distro producer doesn't take fixing it seriously.
Look how many messages, and still no one rolls out the fixed release. Note the issue is already fixed, it only needs Ubuntu to release the latest version of the zip package.

Lukas Märdian (slyon)
Changed in zip (Ubuntu Plucky):
status: Triaged → In Progress
Revision history for this message
Lukas Märdian (slyon) wrote :

Sponsored for plucky: https://launchpad.net/ubuntu/+source/zip/3.0-14ubuntu1

@zhjs can you please `submittodebian` the patch for upstream inclusion?

Changed in zip (Ubuntu Plucky):
status: In Progress → Fix Committed
Shengjing Zhu (zhsj)
description: updated
Shengjing Zhu (zhsj)
Changed in zip (Ubuntu Noble):
status: Confirmed → In Progress
Changed in zip (Ubuntu Oracular):
status: Confirmed → In Progress
Changed in zip (Ubuntu Noble):
assignee: nobody → Shengjing Zhu (zhsj)
Changed in zip (Ubuntu Oracular):
assignee: nobody → Shengjing Zhu (zhsj)
Revision history for this message
Lukas Märdian (slyon) wrote :

Uploaded for SRU review to Oracular & Noble.

Revision history for this message
nh2 (nh2) wrote :

Much appreciated!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package zip - 3.0-14ubuntu1

---------------
zip (3.0-14ubuntu1) plucky; urgency=medium

  * d/p/13-buffer-overflow.patch: Fix buffer overflow when filename contains
    unicode characters (LP: #2062535)

 -- Shengjing Zhu <email address hidden> Fri, 01 Nov 2024 00:25:05 +0800

Changed in zip (Ubuntu Plucky):
status: Fix Committed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Romwriter, or anyone else affected,

Accepted zip into oracular-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/zip/3.0-14ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-oracular to verification-done-oracular. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-oracular. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in zip (Ubuntu Oracular):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-oracular
Changed in zip (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed-noble
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Romwriter, or anyone else affected,

Accepted zip into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/zip/3.0-13ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Stefan (steffel) wrote :

Tested on noble, looks good. Thanks!

```
$ dpkg -l zip
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-=================================
ii zip 3.0-13build1 amd64 Archiver for .zip files

$ ll
total 132
drwxr-xr-x 2 user users 4096 Nov 15 12:56 ./
drwxrwxrwt 39 root root 126976 Nov 15 15:26 ../
-rw-r--r-- 1 user users 0 Nov 15 12:55 äbc.txt

$ zip test.zip äbc.txt
*** buffer overflow detected ***: terminated

zip error: Interrupted (aborting)

$ apt policy zip
zip:
  Installed: 3.0-13build1
  Candidate: 3.0-13build1
  Version table:
     3.0-13ubuntu0.1 100
        100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
 *** 3.0-13build1 500
        500 http://archive.ubuntu.com/ubuntu noble/main amd64 Packages
        100 /var/lib/dpkg/status

$ sudo apt install zip=3.0-13ubuntu0.1
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  zip
1 upgraded, 0 newly installed, 0 to remove and 400 not upgraded.
Need to get 176 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 zip amd64 3.0-13ubuntu0.1 [176 kB]
Fetched 176 kB in 0s (365 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 244512 files and directories currently installed.)
Preparing to unpack .../zip_3.0-13ubuntu0.1_amd64.deb ...
Unpacking zip (3.0-13ubuntu0.1) over (3.0-13build1) ...
Setting up zip (3.0-13ubuntu0.1) ...
Processing triggers for man-db (2.12.0-4build2) ...

$ dpkg -l zip
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-=================================
ii zip 3.0-13ubuntu0.1 amd64 Archiver for .zip files

$ zip test.zip äbc.txt
  adding: äbc.txt (stored 0%)
```

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (zip/3.0-14ubuntu0.1)

All autopkgtests for the newly accepted zip (3.0-14ubuntu0.1) for oracular have finished running.
The following regressions have been reported in tests triggered by the package:

capsule-nextflow/unknown (ppc64el)
diffoscope/unknown (ppc64el)
jruby/9.4.8.0+ds-1ubuntu1 (amd64)
magicrescue/unknown (ppc64el)
openjdk-8/8u432-ga~us1-0ubuntu2~24.10 (amd64, arm64)
openjdk-8/unknown (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/oracular/update_excuses.html#zip

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (zip/3.0-13ubuntu0.1)

All autopkgtests for the newly accepted zip (3.0-13ubuntu0.1) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

automake-1.16/1:1.16.5-1.3ubuntu1 (ppc64el)
jruby/9.4.6.0+ds-1ubuntu3 (amd64, arm64)
log4cxx/1.1.0-1build3 (s390x)
magicrescue/1.1.10+dfsg-2build2 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#zip

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Romwriter (romwriter)
tags: added: verification-done-noble
removed: verification-needed-noble
Revision history for this message
Shengjing Zhu (zhsj) wrote :

root@o-ct-1:~# touch ä
root@o-ct-1:~# zip x.zip ä
*** buffer overflow detected ***: terminated

zip error: Interrupted (aborting)
root@o-ct-1:~# apt install -t oracular-proposed zip
Upgrading:
  zip

Summary:
  Upgrading: 1, Installing: 0, Removing: 0, Not Upgrading: 12
  Download size: 175 kB
  Space needed: 0 B / 249 GB available

0% [Working]
Get:1 http://security.ubuntu.com/ubuntu oracular-proposed/main amd64 zip amd64 3.0-14ubuntu0.1 [175 kB]
Fetched 175 kB in 2s (98.8 kB/s)
(Reading database ... 16074 files and directories currently installed.)
Preparing to unpack .../zip_3.0-14ubuntu0.1_amd64.deb ...
Unpacking zip (3.0-14ubuntu0.1) over (3.0-14) ...
Setting up zip (3.0-14ubuntu0.1) ...
root@o-ct-1:~# zip x.zip ä
  adding: ä (stored 0%)
root@o-ct-1:~#

tags: added: verification-done verification-done-oracular
removed: verification-needed verification-needed-oracular
Revision history for this message
Hans Deragon (deragon) wrote :

Tested noble-proposed and confirming it works too.

Revision history for this message
Shengjing Zhu (zhsj) wrote :

all autopkgtest regressions have been retried and then passed.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package zip - 3.0-14ubuntu0.1

---------------
zip (3.0-14ubuntu0.1) oracular; urgency=medium

  * d/p/13-buffer-overflow.patch: Fix buffer overflow when filename contains
    unicode characters (LP: #2062535)

 -- Shengjing Zhu <email address hidden> Fri, 01 Nov 2024 00:25:05 +0800

Changed in zip (Ubuntu Oracular):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for zip has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package zip - 3.0-13ubuntu0.1

---------------
zip (3.0-13ubuntu0.1) noble; urgency=medium

  * d/p/13-buffer-overflow.patch: Fix buffer overflow when filename contains
    unicode characters (LP: #2062535)

 -- Shengjing Zhu <email address hidden> Fri, 01 Nov 2024 00:25:05 +0800

Changed in zip (Ubuntu Noble):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.