[Bug 1957077] Re: SIGSEGV during processing of unicode string

Mathew Hodson 1957077 at bugs.launchpad.net
Mon Apr 11 23:26:07 UTC 2022 

** Changed in: unzip (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1957077

Title:
  SIGSEGV during processing of unicode string

Status in unzip package in Ubuntu:
  Confirmed

Bug description:
  SIGSEGV during processing of Unicode string

  # Description
  During extraction of the attached zip archive via
  ```
  unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV
  ```
  a null pointer dereference is triggered and causes a SIGSEGV. The bug appears to be located in the code responsible for handling Unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors.

  For reproduction of the crash a script called ./reproduce.sh is
  provided alongside the crashing input. If you need further details,
  please do not hesitate to ask.

  # apt-show unzip
  Package: unzip
  Version: 6.0-25ubuntu1
  Priority: optional
  Section: utils
  Origin: Ubuntu
  Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
  Original-Maintainer: Santiago Vila <sanvila at debian.org>
  Bugs: https://bugs.launchpad.net/ubuntu/+filebug
  Installed-Size: 593 kB
  Depends: libbz2-1.0, libc6 (>= 2.14)
  Suggests: zip
  Homepage: http://www.info-zip.org/UnZip.html
  Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop
  Download-Size: 169 kB
  APT-Manual-Installed: yes
  APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
  Description: De-archiver for .zip files

  # valgrind output
  ==17079== Conditional jump or move depends on uninitialised value(s)
  ==17079==    at 0x430B0B: getZip64Data (process.c:1942)
  ==17079==    by 0x41E687: do_string (fileio.c:2314)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==  Uninitialised value was created by a heap allocation
  ==17079==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==17079==    by 0x41E603: do_string (fileio.c:2303)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==
  ==17079== Conditional jump or move depends on uninitialised value(s)
  ==17079==    at 0x430B44: getZip64Data (process.c:1950)
  ==17079==    by 0x41E687: do_string (fileio.c:2314)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==  Uninitialised value was created by a heap allocation
  ==17079==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==17079==    by 0x41E603: do_string (fileio.c:2303)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==
  ==17079== Conditional jump or move depends on uninitialised value(s)
  ==17079==    at 0x430ABF: getZip64Data (process.c:1937)
  ==17079==    by 0x41E687: do_string (fileio.c:2314)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==  Uninitialised value was created by a heap allocation
  ==17079==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==17079==    by 0x41E603: do_string (fileio.c:2303)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==
  ==17079== Use of uninitialised value of size 8
  ==17079==    at 0x41BD82: makeword (fileio.c:2440)
  ==17079==    by 0x430AF2: getZip64Data (process.c:1939)
  ==17079==    by 0x41E687: do_string (fileio.c:2314)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==  Uninitialised value was created by a heap allocation
  ==17079==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==17079==    by 0x41E603: do_string (fileio.c:2303)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==
  ==17079== Use of uninitialised value of size 8
  ==17079==    at 0x41BD82: makeword (fileio.c:2440)
  ==17079==    by 0x430AFD: getZip64Data (process.c:1940)
  ==17079==    by 0x41E687: do_string (fileio.c:2314)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==  Uninitialised value was created by a heap allocation
  ==17079==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==17079==    by 0x41E603: do_string (fileio.c:2303)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==
  ==17079== Invalid read of size 1
  ==17079==    at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==17079==    by 0x4311C9: getUnicodeData (process.c:2072)
  ==17079==    by 0x41F045: do_string (fileio.c:2330)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
  ==17079==
  ==17079==
  ==17079== Process terminating with default action of signal 11 (SIGSEGV): dumping core
  ==17079==  Access not within mapped region at address 0x0
  ==17079==    at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==17079==    by 0x4311C9: getUnicodeData (process.c:2072)
  ==17079==    by 0x41F045: do_string (fileio.c:2330)
  ==17079==    by 0x40D390: extract_or_test_files (extract.c:658)
  ==17079==    by 0x42F1FB: do_seekable (process.c:994)
  ==17079==    by 0x42B4E5: process_zipfiles (process.c:401)
  ==17079==    by 0x4033E2: unzip (unzip.c:1278)
  ==17079==    by 0x48970B2: (below main) (libc-start.c:308)
  ==17079==  If you believe this happened as a result of a stack
  ==17079==  overflow in your program's main thread (unlikely but
  ==17079==  possible), you can try to increase the size of the
  ==17079==  main thread stack using the --main-stacksize= flag.
  ==17079==  The main thread stack size used in this run was 8388608.
  ==17079==
  ==17079== HEAP SUMMARY:
  ==17079==     in use at exit: 109,457 bytes in 6 blocks
  ==17079==   total heap usage: 28 allocs, 22 frees, 118,125 bytes allocated
  ==17079==
  ==17079== LEAK SUMMARY:
  ==17079==    definitely lost: 0 bytes in 0 blocks
  ==17079==    indirectly lost: 0 bytes in 0 blocks
  ==17079==      possibly lost: 0 bytes in 0 blocks
  ==17079==    still reachable: 109,457 bytes in 6 blocks
  ==17079==         suppressed: 0 bytes in 0 blocks
  ==17079== Rerun with --leak-check=full to see details of leaked memory
  ==17079==
  ==17079== For lists of detected and suppressed errors, rerun with: -s
  ==17079== ERROR SUMMARY: 39614 errors from 6 contexts (suppressed: 0 from 0)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/+subscriptions

More information about the Ubuntu-sponsors mailing list