[AUTO-CHERRYPICK] Fix CVE-2022-0529 and CVE-2022-0530 for unzip: 2.0 - branch main (#11212)

Co-authored-by: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/unzip/CVE-2022-0529.patch

@@ -0,0 +1,183 @@
+From 246a2f17066dff57d4a5253de258374a7e99154a Mon Sep 17 00:00:00 2001
+From: kavyasree <kkaitepalli@microsoft.com>
+Date: Mon, 25 Nov 2024 10:50:21 +0530
+Subject: [PATCH] Fix CVE-2022-0529 and CVE-2022-0530
+Reference: https://git.launchpad.net/ubuntu/+source/unzip/commit/?h=applied/ubuntu/devel&id=d5d5037f4ca1b40578015085b77ae322d1406f56
+---
+ fileio.c  | 34 +++++++++++++++++++++++++---------
+ process.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 68 insertions(+), 21 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index eb2a115..285f7fe 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -171,8 +171,10 @@ static ZCONST char Far ReadError[] = "error:  zipfile read error\n";
+ static ZCONST char Far FilenameTooLongTrunc[] =
+   "warning:  filename too long--truncating.\n";
+ #ifdef UNICODE_SUPPORT
++   static ZCONST char Far UFilenameCorrupt[] =
++     "error: Unicode filename corrupt.\n";
+    static ZCONST char Far UFilenameTooLongTrunc[] =
+-     "warning:  Converted unicode filename too long--truncating.\n";
++     "warning:  Converted Unicode filename too long--truncating.\n";
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+   "warning:  extra field too long (%d).  Ignoring...\n";
+@@ -2355,16 +2357,30 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
+-                  /* make sure filename is short enough */
+-                  if (strlen(fn) >= FILNAMSIZ) {
+-                    fn[FILNAMSIZ - 1] = '\0';
++
++                  /* 2022-07-22 SMS, et al.  CVE-2022-0530
++                   * Detect conversion failure, emit message.
++                   * Continue with unconverted name.
++                   */
++                  if (fn == NULL)
++                  {
+                     Info(slide, 0x401, ((char *)slide,
+-                      LoadFarString(UFilenameTooLongTrunc)));
+-                    error = PK_WARN;
++                     LoadFarString(UFilenameCorrupt)));
++                    error = PK_ERR;
++                  }
++                  else
++                  {
++                    /* make sure filename is short enough */
++                    if (strlen(fn) >= FILNAMSIZ) {
++                      fn[FILNAMSIZ - 1] = '\0';
++                      Info(slide, 0x401, ((char *)slide,
++                        LoadFarString(UFilenameTooLongTrunc)));
++                      error = PK_WARN;
++                    }
++                    /* replace filename with converted UTF-8 */
++                    strcpy(G.filename, fn);
++                    free(fn);
+                   }
+-                  /* replace filename with converted UTF-8 */
+-                  strcpy(G.filename, fn);
+-                  free(fn);
+                 }
+ # endif /* UNICODE_WCHAR */
+                 if (G.unipath_filename != G.filename_full)
+diff --git a/process.c b/process.c
+index 4e06a35..09d54f7 100644
+--- a/process.c
++++ b/process.c
+@@ -222,6 +222,8 @@ static ZCONST char Far ZipfileCommTrunc1[] =
+      "\nwarning:  Unicode Path version > 1\n";
+    static ZCONST char Far UnicodeMismatchError[] =
+      "\nwarning:  Unicode Path checksum invalid\n";
++   static ZCONST char Far UFilenameTooLongTrunc[] =
++     "warning:  filename too long (P1) -- truncating.\n";
+ #endif
+ 
+ 
+@@ -1902,7 +1904,7 @@ int getZip64Data(__G__ ef_buf, ef_len)
+     Sets both local header and central header fields.  Not terribly clever,
+     but it means that this procedure is only called in one place.
+ 
+-    2014-12-05 SMS.
++    2014-12-05 SMS.  (oCERT.org report.)  CVE-2014-8141.
+     Added checks to ensure that enough data are available before calling
+     makeint64() or makelong().  Replaced various sizeof() values with
+     simple ("4" or "8") constants.  (The Zip64 structures do not depend
+@@ -1937,8 +1939,7 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ 
+         if (eb_id == EF_PKSZ64)
+         {
+-          int offset = EB_HEADSIZE;
+-
++	  unsigned offset = EB_HEADSIZE;
+           if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
+           {
+             if (offset+ 8 > ef_len)
+@@ -2036,7 +2037,7 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+         }
+         if (eb_id == EF_UNIPATH) {
+ 
+-          int offset = EB_HEADSIZE;
++          unsigned offset = EB_HEADSIZE;
+           ush ULen = eb_len - 5;
+           ulg chksum = CRCVAL_INITIAL;
+ 
+@@ -2492,16 +2493,17 @@ char *wide_to_local_string(wide_string, escape_all)
+   int state_dependent;
+   int wsize = 0;
+   int max_bytes = MB_CUR_MAX;
+-  char buf[9];
++  char buf[ MB_CUR_MAX+ 1];             /* ("+1" not really needed?) */
+   char *buffer = NULL;
+   char *local_string = NULL;
++  size_t buffer_size;                   /* CVE-2022-0529 */
+ 
+   for (wsize = 0; wide_string[wsize]; wsize++) ;
+ 
+   if (max_bytes < MAX_ESCAPE_BYTES)
+     max_bytes = MAX_ESCAPE_BYTES;
+-
+-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
++  buffer_size = wsize * max_bytes + 1;          /* Reused below. */
++  if ((buffer = (char *)malloc( buffer_size)) == NULL) {
+     return NULL;
+   }
+ 
+@@ -2539,8 +2541,28 @@ char *wide_to_local_string(wide_string, escape_all)
+     } else {
+       /* no MB for this wide */
+         /* use escape for wide character */
+-        char *escape_string = wide_to_escape_string(wide_string[i]);
+-        strcat(buffer, escape_string);
++        size_t buffer_len;
++        size_t escape_string_len;
++        char *escape_string;
++        int err_msg = 0;
++
++        escape_string = wide_to_escape_string(wide_string[i]);
++        buffer_len = strlen( buffer);
++        escape_string_len = strlen( escape_string);
++
++        /* Append escape string, as space allows. */
++        /* 2022-07-18 SMS, et al.  CVE-2022-0529 */
++        if (escape_string_len > buffer_size- buffer_len- 1)
++        {
++            escape_string_len = buffer_size- buffer_len- 1;
++            if (err_msg == 0)
++            {
++                err_msg = 1;
++                Info(slide, 0x401, ((char *)slide,
++                 LoadFarString( UFilenameTooLongTrunc)));
++            }
++        }
++        strncat( buffer, escape_string, escape_string_len);
+         free(escape_string);
+     }
+   }
+@@ -2592,9 +2614,18 @@ char *utf8_to_local_string(utf8_string, escape_all)
+   ZCONST char *utf8_string;
+   int escape_all;
+ {
+-  zwchar *wide = utf8_to_wide_string(utf8_string);
+-  char *loc = wide_to_local_string(wide, escape_all);
+-  free(wide);
++  zwchar *wide;
++  char *loc = NULL;
++
++  wide = utf8_to_wide_string( utf8_string);
++
++  /* 2022-07-25 SMS, et al.  CVE-2022-0530 */
++  if (wide != NULL)
++  {
++    loc = wide_to_local_string( wide, escape_all);
++    free( wide);
++  }
++
+   return loc;
+ }
+ 
+-- 
+2.34.1
+

SPECS/unzip/unzip.spec

@@ -1,7 +1,7 @@
 Summary:        Unzip-6.0
 Name:           unzip
 Version:        6.0
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -23,6 +23,7 @@ Patch11:        unzip-zipbomb-part3.patch
 Patch12:        unzip-zipbomb-manpage.patch
 Patch13:        CVE-2015-7697.patch
 Patch14:        CVE-2018-1000035.patch
+Patch15:	CVE-2022-0529.patch
 
 %description
 The UnZip package contains ZIP extraction utilities. These are useful
@@ -57,6 +58,9 @@ ln -sf unzip %{buildroot}%{_bindir}/zipinfo
 %{_bindir}/*
 
 %changelog
+* Mon Nov 25 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 6.0.21
+- Fix CVE-2022-0529 and CVE-2022-0530
+
 * Thu Oct 06 2022 Olivia Crain <oliviacrain@microsoft.com> - 6.0-20
 - Compile with large file support, zip64 support
 - Remove i*86 configuration- Mariner doesn't build for those architectures

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -236,7 +236,7 @@ ca-certificates-tools-2.0.0-18.cm2.noarch.rpm
 ca-certificates-base-2.0.0-18.cm2.noarch.rpm
 ca-certificates-2.0.0-18.cm2.noarch.rpm
 dwz-0.14-2.cm2.aarch64.rpm
-unzip-6.0-20.cm2.aarch64.rpm
+unzip-6.0-21.cm2.aarch64.rpm
 python3-3.9.19-7.cm2.aarch64.rpm
 python3-devel-3.9.19-7.cm2.aarch64.rpm
 python3-libs-3.9.19-7.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -236,7 +236,7 @@ ca-certificates-tools-2.0.0-18.cm2.noarch.rpm
 ca-certificates-base-2.0.0-18.cm2.noarch.rpm
 ca-certificates-2.0.0-18.cm2.noarch.rpm
 dwz-0.14-2.cm2.x86_64.rpm
-unzip-6.0-20.cm2.x86_64.rpm
+unzip-6.0-21.cm2.x86_64.rpm
 python3-3.9.19-7.cm2.x86_64.rpm
 python3-devel-3.9.19-7.cm2.x86_64.rpm
 python3-libs-3.9.19-7.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -570,8 +570,8 @@ tdnf-plugin-repogpgcheck-3.5.2-4.cm2.aarch64.rpm
 tdnf-python-3.5.2-4.cm2.aarch64.rpm
 texinfo-6.8-1.cm2.aarch64.rpm
 texinfo-debuginfo-6.8-1.cm2.aarch64.rpm
-unzip-6.0-20.cm2.aarch64.rpm
-unzip-debuginfo-6.0-20.cm2.aarch64.rpm
+unzip-6.0-21.cm2.aarch64.rpm
+unzip-debuginfo-6.0-21.cm2.aarch64.rpm
 util-linux-2.37.4-9.cm2.aarch64.rpm
 util-linux-debuginfo-2.37.4-9.cm2.aarch64.rpm
 util-linux-devel-2.37.4-9.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -576,8 +576,8 @@ tdnf-plugin-repogpgcheck-3.5.2-4.cm2.x86_64.rpm
 tdnf-python-3.5.2-4.cm2.x86_64.rpm
 texinfo-6.8-1.cm2.x86_64.rpm
 texinfo-debuginfo-6.8-1.cm2.x86_64.rpm
-unzip-6.0-20.cm2.x86_64.rpm
-unzip-debuginfo-6.0-20.cm2.x86_64.rpm
+unzip-6.0-21.cm2.x86_64.rpm
+unzip-debuginfo-6.0-21.cm2.x86_64.rpm
 util-linux-2.37.4-9.cm2.x86_64.rpm
 util-linux-debuginfo-2.37.4-9.cm2.x86_64.rpm
 util-linux-devel-2.37.4-9.cm2.x86_64.rpm