Bug 29893

Summary: unzip new security issues CVE-2021-4217, CVE-2022-0529, CVE-2022-0530
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, misalumix9x, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: unzip-6.0-2.mga8.src.rpm CVE: CVE-2021-4217, CVE-2022-0529, CVE-2022-0530
Status comment:

Description David Walser 2022-01-15 01:04:03 CET 
A null-pointer dereference issue was reported for unzip:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077

No fix is available yet.  It will likely receive a CVE.

Mageia 8 is also affected.
Comment 1 Lewis Smith 2022-01-15 21:01:40 CET 
Assigning to neoclust as you have done the most recent updates to this pkg.

Not sure how we handle "No fix is available yet". I have flagged this UPSTREAM pending that; imagine DavidW will bring the bug to life (& NicolasL's attention) when the CVE surfaces.

Keywords: (none) => UPSTREAM
Assignee: bugsquad => mageia

Comment 2 David Walser 2022-02-11 15:44:48 CET 
Also:
https://bugzilla.redhat.com/show_bug.cgi?id=2051395
https://bugzilla.redhat.com/show_bug.cgi?id=2051402

Summary: unzip new security issue lp#1957077 => unzip new security issues lp#1957077, rhbz#2051395, rhbz#2051402
Status comment: (none) => No fixes available as of February 2022

Comment 3 David Walser 2022-08-09 16:54:07 CEST 
(In reply to David Walser from comment #0)
> A null-pointer dereference issue was reported for unzip:
> https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
> 
> No fix is available yet.  It will likely receive a CVE.
> 
> Mageia 8 is also affected.

This is CVE-2021-4217:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/comments/9
https://bugzilla.redhat.com/show_bug.cgi?id=2044583

and a suggested patch is attached here:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077/comments/7

(In reply to David Walser from comment #2)
> Also:
> https://bugzilla.redhat.com/show_bug.cgi?id=2051395
> https://bugzilla.redhat.com/show_bug.cgi?id=2051402

These are CVE-2022-0529, CVE-2022-0530:
https://www.debian.org/security/2022/dsa-5202

So there are patches for those now too.

Whiteboard: (none) => MGA8TOO
Summary: unzip new security issues lp#1957077, rhbz#2051395, rhbz#2051402 => unzip new security issues CVE-2021-4217, CVE-2022-0529, CVE-2022-0530
Status comment: No fixes available as of February 2022 => Patches available from Debian and Ubuntu

Comment 4 David Walser 2022-09-23 18:08:07 CEST 
Debian-LTS has issued an advisory for CVE-2022-0529, CVE-2022-0530 on September 22:
https://www.debian.org/lts/security/2022/dla-3118
Comment 5 David Walser 2022-09-27 00:16:53 CEST 
(In reply to David Walser from comment #4)
> Debian-LTS has issued an advisory for CVE-2022-0529, CVE-2022-0530 on
> September 22:
> https://www.debian.org/lts/security/2022/dla-3118

openSUSE has issued an advisory for this today (September 26):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VFUXYMOCMRAV3GMQQKYX6T4L2I23XSQU/
Comment 6 David Walser 2022-10-13 14:50:06 CEST 
Ubuntu has issued an advisory for this today (October 13):
https://ubuntu.com/security/notices/USN-5673-1
Comment 7 Nicolas Salguero 2022-10-14 09:52:57 CEST 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. (CVE-2021-4217)

Conversion of a wide string to a local string that leads to a heap of out-of-bound write. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. (CVE-2022-0529, CVE-2022-0530)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0530
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
https://bugzilla.redhat.com/show_bug.cgi?id=2044583
https://bugzilla.redhat.com/show_bug.cgi?id=2051395
https://bugzilla.redhat.com/show_bug.cgi?id=2051402
https://www.debian.org/security/2022/dsa-5202
https://www.debian.org/lts/security/2022/dla-3118
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VFUXYMOCMRAV3GMQQKYX6T4L2I23XSQU/
https://ubuntu.com/security/notices/USN-5673-1
========================

Updated package in core/updates_testing:
========================
unzip-6.0-2.1.mga8

from SRPM:
unzip-6.0-2.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Patches available from Debian and Ubuntu => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Keywords: UPSTREAM => (none)
CVE: (none) => CVE-2021-4217, CVE-2022-0529, CVE-2022-0530
Status: NEW => ASSIGNED
Assignee: mageia => qa-bugs

Comment 8 Herman Viaene 2022-10-15 11:22:06 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Tested on an zip file I made some 5 years ago.
$ unzip anglo.zip 
Archive:  anglo.zip
   creating: anglo/
  inflating: anglo/09-Sanctusamp.mp3  
  inflating: anglo/06-Alleluia.mp3   
  inflating: anglo/10-Agnus Deiamp.mp3  
  inflating: anglo/03-Kyrie.mp3      
  inflating: anglo/05- Graduale Haec Dies.mp3  
  inflating: anglo/08-Offertorium Terra tremuitamp.mp3  
  inflating: anglo/01-Quem queritisamp.mp3  
  inflating: anglo/04-Gloria.mp3     
  inflating: anglo/02-Introitus Resurrexiamp.mp3  
  inflating: anglo/11-Communio Pascha nostrumamp.mp3  
  inflating: anglo/07-Sequentia Fulgens.mp3  
Files play OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2022-10-15 16:04:23 CEST 
Validating. Advisory in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-18 23:43:54 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2022-10-19 01:16:16 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0371.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 11 Missa lin 2023-06-03 04:11:43 CEST Comment hidden (spam)

CC: (none) => misalumix9x