unzip: Patched for CVE-2021-4217

Change-Id: I8215d54dcfb23e7572b03ca138064ebd4a737fcf Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/21354 Tested-by: gerrit-photon <photon-checkins@vmware.com> Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
2023-07-24 14:20:43 +05:30 · 2023-07-24 14:20:43 +05:30 · 81c623adbb
parent 83e875fbe0
commit 81c623adbb
2 changed files with 57 additions and 1 deletions
--- a/SPECS/unzip/CVE-2021-4217.patch
+++ b/SPECS/unzip/CVE-2021-4217.patch
@ -0,0 +1,53 @@
+From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
+From: Nils Bars <nils.bars@t-online.de>
+Date: Mon, 17 Jan 2022 16:53:16 +0000
+Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
+
+This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
+to read as many bytes as indicated by the extra field length attribute.
+Furthermore, this fixes a null pointer dereference if an archive contains an
+`EF_UNIPATH` extra field but does not have a filename set.
+---
+ fileio.c  | 5 ++++-
+ process.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index 6290824..95ea68b 100644
+--- a/fileio.c
+++ b/fileio.c
+@@ -2308,8 +2308,11 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+             seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
+                       (G.inptr-G.inbuf) + length);
+         } else {
+-            if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+            unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
+            if (bytes_read == 0)
+                 return PK_EOF;
+            if (bytes_read != length)
+                return PK_ERR;
+             /* Looks like here is where extra fields are read */
+             if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+             {
+diff --git a/process.c b/process.c
+index d2a846e..cba2463 100644
+--- a/process.c
+++ b/process.c
+@@ -2064,10 +2064,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+           G.unipath_checksum = makelong(offset + ef_buf);
+           offset += 4;
+ 
+          if (!G.filename_full) {
+            /* Check if we have a unicode extra section but no filename set */
+            return PK_ERR;
+          }
+
+           /*
+            * Compute 32-bit crc
+            */
+-
+           chksum = crc32(chksum, (uch *)(G.filename_full),
+                          strlen(G.filename_full));
+ 
+-- 
+2.25.1
--- a/SPECS/unzip/unzip.spec
+++ b/SPECS/unzip/unzip.spec
@ -1,7 +1,7 @@
 Summary:        Unzip-6.0
 Name:           unzip
 Version:        6.0
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        BSD
 URL:            http://www.gnu.org/software/%{name}
 Group:          System Environment/Utilities
@ -25,6 +25,7 @@ Patch10: CVE-2014-8140.patch
 Patch11: CVE-2018-1000035.patch
 Patch12: unzip-passwd-as-stdin.patch
 Patch13: CVE-2022-0529-2022-0530.patch
+Patch14: CVE-2021-4217.patch

 %description
 The UnZip package contains ZIP extraction utilities. These are useful
@ -54,6 +55,8 @@ make %{?_smp_mflags} check
 %{_bindir}/*

 %changelog
+* Mon Jul 24 2023 Nitesh Kumar <kunitesh@vmware.com> 6.0-16
+- Patched for CVE-2021-4217
 * Fri May 19 2023 Nitesh Kumar <kunitesh@vmware.com> 6.0-15
 - Patched for CVE-2022-0529 and CVE-2022-0530
 * Tue Apr 21 2020 Sujay G <gsujay@vmware.com> 6.0-14