| blob | 12def856c3b486aea5ba1a40d52c2a80e06be2cf |
1 # --- T2-COPYRIGHT-NOTE-BEGIN ---
2 # T2 SDE: package/*/unzip/CVE-2022-0529-and-CVE-2022-0530.patch
3 # Copyright (C) 2022 The T2 SDE Project
4 #
5 # This Copyright note is generated by scripts/Create-CopyPatch,
6 # more information can be found in the files COPYING and README.
7 #
8 # This patch file is dual-licensed. It is available under the license the
9 # patched project is licensed under, as long as it is an OpenSource license
10 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
11 # of the GNU General Public License version 2 as used by the T2 SDE.
12 # --- T2-COPYRIGHT-NOTE-END ---
14 From: Steven M. Schweda <sms@antinode.info>
15 Subject: Fix for CVE-2022-0529 and CVE-2022-0530
16 Bug-Debian: https://bugs.debian.org/1010355
17 X-Debian-version: 6.0-27
19 --- a/fileio.c
20 +++ b/fileio.c
21 @@ -171,8 +171,10 @@
22 static ZCONST char Far FilenameTooLongTrunc[] =
23 "warning: filename too long--truncating.\n";
24 #ifdef UNICODE_SUPPORT
25 + static ZCONST char Far UFilenameCorrupt[] =
26 + "error: Unicode filename corrupt.\n";
27 static ZCONST char Far UFilenameTooLongTrunc[] =
28 - "warning: Converted unicode filename too long--truncating.\n";
29 + "warning: Converted Unicode filename too long--truncating.\n";
30 #endif
31 static ZCONST char Far ExtraFieldTooLong[] =
32 "warning: extra field too long (%d). Ignoring...\n";
33 @@ -2361,16 +2363,30 @@
34 /* convert UTF-8 to local character set */
35 fn = utf8_to_local_string(G.unipath_filename,
36 G.unicode_escape_all);
37 - /* make sure filename is short enough */
38 - if (strlen(fn) >= FILNAMSIZ) {
39 - fn[FILNAMSIZ - 1] = '\0';
40 +
41 + /* 2022-07-22 SMS, et al. CVE-2022-0530
42 + * Detect conversion failure, emit message.
43 + * Continue with unconverted name.
44 + */
45 + if (fn == NULL)
46 + {
47 Info(slide, 0x401, ((char *)slide,
48 - LoadFarString(UFilenameTooLongTrunc)));
49 - error = PK_WARN;
50 + LoadFarString(UFilenameCorrupt)));
51 + error = PK_ERR;
52 + }
53 + else
54 + {
55 + /* make sure filename is short enough */
56 + if (strlen(fn) >= FILNAMSIZ) {
57 + fn[FILNAMSIZ - 1] = '\0';
58 + Info(slide, 0x401, ((char *)slide,
59 + LoadFarString(UFilenameTooLongTrunc)));
60 + error = PK_WARN;
61 + }
62 + /* replace filename with converted UTF-8 */
63 + strcpy(G.filename, fn);
64 + free(fn);
65 }
66 - /* replace filename with converted UTF-8 */
67 - strcpy(G.filename, fn);
68 - free(fn);
69 }
70 # endif /* UNICODE_WCHAR */
71 if (G.unipath_filename != G.filename_full)
72 --- a/process.c
73 +++ b/process.c
74 @@ -222,6 +222,8 @@
75 "\nwarning: Unicode Path version > 1\n";
76 static ZCONST char Far UnicodeMismatchError[] =
77 "\nwarning: Unicode Path checksum invalid\n";
78 + static ZCONST char Far UFilenameTooLongTrunc[] =
79 + "warning: filename too long (P1) -- truncating.\n";
80 #endif
83 @@ -1915,7 +1917,7 @@
84 Sets both local header and central header fields. Not terribly clever,
85 but it means that this procedure is only called in one place.
87 - 2014-12-05 SMS.
88 + 2014-12-05 SMS. (oCERT.org report.) CVE-2014-8141.
89 Added checks to ensure that enough data are available before calling
90 makeint64() or makelong(). Replaced various sizeof() values with
91 simple ("4" or "8") constants. (The Zip64 structures do not depend
92 @@ -1947,9 +1949,10 @@
93 ef_len - EB_HEADSIZE));
94 break;
95 }
96 +
97 if (eb_id == EF_PKSZ64)
98 {
99 - int offset = EB_HEADSIZE;
100 + unsigned offset = EB_HEADSIZE;
102 if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
103 {
104 @@ -2046,7 +2049,7 @@
105 }
106 if (eb_id == EF_UNIPATH) {
108 - int offset = EB_HEADSIZE;
109 + unsigned offset = EB_HEADSIZE;
110 ush ULen = eb_len - 5;
111 ulg chksum = CRCVAL_INITIAL;
113 @@ -2504,16 +2507,17 @@
114 int state_dependent;
115 int wsize = 0;
116 int max_bytes = MB_CUR_MAX;
117 - char buf[9];
118 + char buf[ MB_CUR_MAX+ 1]; /* ("+1" not really needed?) */
119 char *buffer = NULL;
120 char *local_string = NULL;
121 + size_t buffer_size; /* CVE-2022-0529 */
123 for (wsize = 0; wide_string[wsize]; wsize++) ;
125 if (max_bytes < MAX_ESCAPE_BYTES)
126 max_bytes = MAX_ESCAPE_BYTES;
127 -
128 - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
129 + buffer_size = wsize * max_bytes + 1; /* Reused below. */
130 + if ((buffer = (char *)malloc( buffer_size)) == NULL) {
131 return NULL;
132 }
134 @@ -2551,8 +2555,28 @@
135 } else {
136 /* no MB for this wide */
137 /* use escape for wide character */
138 - char *escape_string = wide_to_escape_string(wide_string[i]);
139 - strcat(buffer, escape_string);
140 + size_t buffer_len;
141 + size_t escape_string_len;
142 + char *escape_string;
143 + int err_msg = 0;
144 +
145 + escape_string = wide_to_escape_string(wide_string[i]);
146 + buffer_len = strlen( buffer);
147 + escape_string_len = strlen( escape_string);
148 +
149 + /* Append escape string, as space allows. */
150 + /* 2022-07-18 SMS, et al. CVE-2022-0529 */
151 + if (escape_string_len > buffer_size- buffer_len- 1)
152 + {
153 + escape_string_len = buffer_size- buffer_len- 1;
154 + if (err_msg == 0)
155 + {
156 + err_msg = 1;
157 + Info(slide, 0x401, ((char *)slide,
158 + LoadFarString( UFilenameTooLongTrunc)));
159 + }
160 + }
161 + strncat( buffer, escape_string, escape_string_len);
162 free(escape_string);
163 }
164 }
165 @@ -2604,9 +2628,18 @@
166 ZCONST char *utf8_string;
167 int escape_all;
168 {
169 - zwchar *wide = utf8_to_wide_string(utf8_string);
170 - char *loc = wide_to_local_string(wide, escape_all);
171 - free(wide);
172 + zwchar *wide;
173 + char *loc = NULL;
174 +
175 + wide = utf8_to_wide_string( utf8_string);
176 +
177 + /* 2022-07-25 SMS, et al. CVE-2022-0530 */
178 + if (wide != NULL)
179 + {
180 + loc = wide_to_local_string( wide, escape_all);
181 + free( wide);
182 + }
183 +
184 return loc;
185 }