!37 fix date error on 6.0-46

From: @xu_lei_123 
Reviewed-by: @xiezhipeng1 
Signed-off-by: @xiezhipeng1

CVE-2022-0529.patch

@@ -0,0 +1,104 @@
+From 8b40e8021a98728b5889516af308dd52378c964c Mon Sep 17 00:00:00 2001
+From: Lv Ying <lvying6@huawei.com>
+Date: Wed, 23 Feb 2022 09:32:21 +0800
+Subject: [PATCH 2/2] fix CVE-2022-0529 Heap out-of-bound writes and reads
+ during conversion of wide string to local string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2022-0529 discussed in https://bugzilla.redhat.com/show_bug.cgi?id=2051402
+CVE can be reproduced:
+$ unset LANG
+$ valgrind ./unzip ./unzip_03/testcase
+valgrind will detect Heap out-of-bound writes and reads just as bugzilla discussed
+
+This is because wide_to_escape_string returns a string that represents a wide char
+not in local char set, is longer than MAX_ESCAPE_BYTES(8). Actually, MAX_ESCAPE_BYTES
+max is 10, for example, 4-byte wide character '#L02020276' is 10 bytes long, not
+including the terminating null character. So strcat(buffer, escape_string) will cause
+Heap out-of-bound writes.
+
+By default, the OS vendor sets the LANG environment variable. valgrind tests this POC
+will get another memory error.
+$ export | grep LANG
+declare -x LANG="en_US.UTF-8"
+$ valgrind ./unzip ./unzip_03/testcase
+
+Archive:  unzip_03/testcase
+warning [unzip_03/testcase]:  303 extra bytes at beginning or within zipfile
+  (attempting to process anyway)
+error [unzip_03/testcase]:  reported length of central directory is
+  -303 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
+  zipfile?).  Compensating...
+==15725== Conditional jump or move depends on uninitialised value(s)
+==15725==    at 0x4903169: __wcsnlen_sse4_1 (strlen.S:186)
+==15725==    by 0x48F3D61: wcsrtombs (wcsrtombs.c:104)
+==15725==    by 0x488B9A0: wcstombs (wcstombs.c:34)
+==15725==    by 0x407279: wcstombs (stdlib.h:154)
+==15725==    by 0x407279: fnfilter.constprop.2 (extract.c:2946)
+==15725==    by 0x4076A5: store_info (extract.c:1155)
+==15725==    by 0x40AFF4: extract_or_test_files (extract.c:782)
+==15725==    by 0x41586C: do_seekable (process.c:994)
+==15725==    by 0x4167EE: process_zipfiles (process.c:401)
+==15725==    by 0x40449B: unzip (unzip.c:1280)
+==15725==    by 0x4874B26: (below main) (libc-start.c:308)
+==15725==
+   skipping: ??????????????????????????????????????????????????????????????????????????ı  need PK compat. v4.6 (can do v4.5)
+==15725==
+==15725== HEAP SUMMARY:
+==15725==     in use at exit: 0 bytes in 0 blocks
+==15725==   total heap usage: 37 allocs, 37 frees, 90,739 bytes allocated
+==15725==
+==15725== All heap blocks were freed -- no leaks are possible
+==15725==
+==15725== For counts of detected and suppressed errors, rerun with: -v
+==15725== Use --track-origins=yes to see where uninitialised values come from
+==15725== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
+
+This is because wcstombs( newraw, wostring, (woslen * MB_CUR_MAX) + 1) in fnfilter
+use wrong n parameter which stands for At most n bytes are written to dest.
+When LANG environment variable is set, MB_CUR_MAX = 6, so wcstombs will writes more
+bytes over dest(newraw).
+
+Signed-off-by: Lv Ying <lvying6@huawei.com>
+---
+ extract.c | 4 ++--
+ process.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index f0e8217..3f6e14d 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2856,12 +2856,12 @@ char *fnfilter(raw, space, size)   /* convert name to safely printable form */
+     if (wslen != (size_t)-1)
+     {
+         /* Apparently valid Unicode.  Allocate wide-char storage. */
+-        wstring = (wchar_t *)malloc((wslen + 1) * sizeof(wchar_t));
++        wstring = (wchar_t *)calloc((wslen + 1), sizeof(wchar_t));
+         if (wstring == NULL) {
+             strcpy( (char *)space, raw);
+             return (char *)space;
+         }
+-        wostring = (wchar_t *)malloc(2 * (wslen + 1) * sizeof(wchar_t));
++        wostring = (wchar_t *)calloc(2 * (wslen + 1), sizeof(wchar_t));
+         if (wostring == NULL) {
+             free(wstring);
+             strcpy( (char *)space, raw);
+diff --git a/process.c b/process.c
+index 5cba073..3e7fcb3 100644
+--- a/process.c
++++ b/process.c
+@@ -2395,7 +2395,7 @@ char *local_to_utf8_string(local_string)
+   */
+ 
+  /* set this to the max bytes an escape can be */
+-#define MAX_ESCAPE_BYTES 8
++#define MAX_ESCAPE_BYTES 10
+ 
+ char *wide_to_escape_string(wide_char)
+   zwchar wide_char;
+-- 
+2.27.0
+

CVE-2022-0530.patch

@@ -0,0 +1,61 @@
+From 4d9e8cd35d59f05f75cb2d8f05c6e4c9277dcf9c Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 22 Feb 2022 21:04:25 +0000
+Subject: [PATCH 1/2] Fix CVE-2022-0530
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ fileio.c  | 20 +++++++++++++-------
+ process.c |  2 ++
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index cf995a9..e237272 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -2360,16 +2360,22 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
+-                  /* make sure filename is short enough */
+-                  if (strlen(fn) >= FILNAMSIZ) {
+-                    fn[FILNAMSIZ - 1] = '\0';
++                  if (!fn) {
+                     Info(slide, 0x401, ((char *)slide,
+-                      LoadFarString(UFilenameTooLongTrunc)));
++                      LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
+                     error = PK_WARN;
++                  } else {
++                    /* make sure filename is short enough */
++                    if (strlen(fn) >= FILNAMSIZ) {
++                      fn[FILNAMSIZ - 1] = '\0';
++                      Info(slide, 0x401, ((char *)slide,
++                        LoadFarString(UFilenameTooLongTrunc)));
++                      error = PK_WARN;
++                    }
++                    /* replace filename with converted UTF-8 */
++                    strcpy(G.filename, fn);
++                    free(fn);
+                   }
+-                  /* replace filename with converted UTF-8 */
+-                  strcpy(G.filename, fn);
+-                  free(fn);
+                 }
+ # endif /* UNICODE_WCHAR */
+                 if (G.unipath_filename != G.filename_full)
+diff --git a/process.c b/process.c
+index 46abce2..5cba073 100644
+--- a/process.c
++++ b/process.c
+@@ -2597,6 +2597,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
+   int escape_all;
+ {
+   zwchar *wide = utf8_to_wide_string(utf8_string);
++  if (!wide)
++    return NULL;
+   char *loc = wide_to_local_string(wide, escape_all);
+   free(wide);
+   return loc;
+-- 
+2.27.0
+

backport-CVE-2021-4217.patch

@@ -0,0 +1,39 @@
+From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
+From: Nils Bars <nils.bars@t-online.de>
+Date: Mon, 17 Jan 2022 16:53:16 +0000
+Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
+
+This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
+to read as many bytes as indicated by the extra field length attribute.
+Furthermore, this fixes a null pointer dereference if an archive contains an
+`EF_UNIPATH` extra field but does not have a filename set.
+
+Reference:https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
+Conflict: fileio.c file not change.
+---
+ process.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/process.c b/process.c
+index abe938b..f573ee4 100644
+--- a/process.c
++++ b/process.c
+@@ -2060,10 +2060,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+           G.unipath_checksum = makelong(offset + ef_buf);
+           offset += 4;
+ 
++          if (!G.filename_full) {
++            /* Check if we have a unicode extra section but no filename set */
++            return PK_ERR;
++          }
++
+           /*
+            * Compute 32-bit crc
+            */
+-
+           chksum = crc32(chksum, (uch *)(G.filename_full),
+                          strlen(G.filename_full));
+ 
+-- 
+2.33.0
+

unzip-6.0-crc-builtin.patch

@@ -1,141 +0,0 @@
-From 1ae8eea237f05a590d8da38528dceab8a7b4290b Mon Sep 17 00:00:00 2001
-From: Euler Hanzh <18221254@bjtu.edu.cn>
-Date: Mon, 17 May 2021 19:28:18 +0800
-Subject: [PATCH] This patch is created for performance optimization in crc calculation only suitable for openeuler of aarch64 architecture. 
-                 The speed of unzip software when running can be accelerate by nearly 100% than before.
-
----
- unzip60/crc32.c       |  28 ++++++++++++++++++++++++++++
- unzip60/crc32.h       |   4 ++++
- unzip60/unix/Makefile |  19 ++++++++++++++-----
- 3 files changed, 46 insertions(+), 5 deletions(-)
-
-diff --git a/unzip60/crc32.c b/unzip60/crc32.c
-index 02f504d..fa73a3e 100644
---- a/unzip60/crc32.c
-+++ b/unzip60/crc32.c
-@@ -675,7 +675,32 @@ void free_crc_table()
-
- #endif /* (IZ_CRC_BE_OPTIMIZ || IZ_CRC_LE_OPTIMIZ) */
-
-+#ifdef ARCH_AARCH64
-+u_int32_t crc32(u_int32_t crc,const u_int8_t *p, unsigned int len)
-+{
-+  int64_t length = len;
-+
-+  while ((length -= sizeof(u_int64_t)) >=0) {
-+    __builtin_aarch64_crc32cx(crc, *((u_int64_t *)p));
-+    p += sizeof(u_int64_t);
-+  }
-
-+  if (length & sizeof(u_int32_t)) {
-+    __builtin_aarch64_crc32cw(crc, *((u_int32_t *)p));
-+    p += sizeof(u_int32_t);
-+  }
-+
-+  if (length & sizeof(u_int16_t)) {
-+    __builtin_aarch64_crc32ch(crc, *((u_int16_t *)p));
-+    p += sizeof(u_int16_t);
-+  }
-+
-+  if (length & sizeof(u_int8_t))
-+    __builtin_aarch64_crc32cb(crc, *p);
-+
-+  return crc;
-+}
-+#else
- /* ========================================================================= */
- ulg crc32(crc, buf, len)
-     ulg crc;                    /* crc shift register */
-@@ -726,6 +751,9 @@ ulg crc32(crc, buf, len)
-
-   return REV_BE(c) ^ 0xffffffffL;   /* (instead of ~c for 64-bit machines) */
- }
-+
-+#endif /* !ARCH_AARCH64*/
-+
- #endif /* !ASM_CRC */
- #endif /* !CRC_TABLE_ONLY */
- #endif /* !USE_ZLIB */
-diff --git a/unzip60/crc32.h b/unzip60/crc32.h
-index 83af240..b5e386a 100644
---- a/unzip60/crc32.h
-+++ b/unzip60/crc32.h
-@@ -36,7 +36,11 @@
- #    undef IZ_CRC_BE_OPTIMIZ
- #  endif
- #else /* !(USE_ZLIB || CRC_TABLE_ONLY) */
-+#  ifdef ARCH_AARCH64
-+    u_int32_t crc32(u_int32_t crc,const u_int8_t *p, unsigned int len);
-+#  else
-       ulg      crc32           OF((ulg crc, ZCONST uch *buf, extent len));
-+#  endif 
- #endif /* ?(USE_ZLIB || CRC_TABLE_ONLY) */
-
- #ifndef CRC_32_TAB
-diff --git a/unzip60/unix/Makefile b/unzip60/unix/Makefile
-index ab32270..39b2263 100644
---- a/unzip60/unix/Makefile
-+++ b/unzip60/unix/Makefile
-@@ -40,7 +40,8 @@
-
- # Defaults most systems use (use LOCAL_UNZIP in environment to add flags,
- # such as -DDOSWILD).
--
-+TARGET_ARCH = $(shell uname -m)
-+ARCH = $(shell getconf LONG_BIT)
- # UnZip flags
- CC = cc#       try using "gcc" target rather than changing this (CC and LD
- LD = $(CC)#    must match, else "unresolved symbol:  ___main" is possible)
-@@ -54,6 +55,12 @@ LFLAGS1 =
- LF = -o unzip$E $(LFLAGS1)
- LF2 = -s
-
-+ifeq ($(TARGET_ARCH),aarch64)
-+CFF = -DARCH=$(ARCH) -march=armv8.1-a -D ARCH_AARCH64
-+else
-+CFF =
-+endif
-+
- # UnZipSFX flags
- SL = -o unzipsfx$E $(LFLAGS1)
- SL2 = $(LF2)
-@@ -77,6 +84,8 @@ M = unix
- SHELL = /bin/sh
- MAKEF = -f unix/Makefile
-
-+
-+
- # Version info for unix/unix.c
- HOST_VERSINFO=-DIZ_CC_NAME='\"\$$(CC) \"' -DIZ_OS_NAME='\"`uname -a`\"'
-
-@@ -231,13 +240,13 @@ generic_msg:
- # yes, we should be able to use the $O macro to combine these two, but it
- # fails on some brain-damaged makes (e.g., AIX's)...no big deal
- .c.o:
--       $(CC) -c $(CF) $*.c
-+       $(CC) -c $(CF) $(CFF)  $*.c
-
- .c.obj:
--       $(CC) -c $(CF) $*.c
-+       $(CC) -c $(CF) $(CFF)  $*.c
-
- .c.pic.o:
--       $(CC) -c $(CF) -o $@ $*.c
-+       $(CC) -c $(CF) $(CFF)  -o $@ $*.c
-
- # this doesn't work...directories are always a pain with implicit rules
- #.1.txt:               man/$<
-@@ -329,7 +338,7 @@ unzipsfx$O: unzip.c $(UNZIP_H) crypt.h unzvers.h consts.h
-        $(CC) -c $(CF) -DSFX -o $@ unzip.c
-
- crc32_$O:      crc32.c $(UNZIP_H) zip.h crc32.h
--       $(CC) -c $(CF) -DSFX -o $@ crc32.c
-+       $(CC) -c $(CF) -DSFX $(CFF)  -o $@ crc32.c
-
- crypt_$O:      crypt.c $(UNZIP_H) zip.h crypt.h crc32.h ttyio.h
-        $(CC) -c $(CF) -DSFX -o $@ crypt.c
--- 
-2.23.0
-
-

unzip.spec

@@ -1,6 +1,6 @@
 Name:           unzip
 Version:        6.0
-Release:        46
+Release:        50
 Summary:        A utility for unpacking zip files
 License:        Info-ZIP,Public Domain
 URL:            http://www.info-zip.org/UnZip.html
@@ -34,11 +34,12 @@ Patch6000:      CVE-2018-18384.patch
 Patch6001:      CVE-2019-13232-pre.patch
 Patch6002:      CVE-2019-13232.patch
 Patch6003:      CVE-2019-13232-fur1.patch
+Patch6004:      backport-CVE-2021-4217.patch
 Patch9000:      CVE-2019-13232-fur2.patch
+Patch9001:      CVE-2022-0530.patch
+Patch9002:      CVE-2022-0529.patch
 
-Patch12000:      unzip-6.0-crc-builtin.patch
-
-BuildRequires:  bzip2-devel
+BuildRequires:  bzip2-devel gcc
 
 %description
 UnZip is an extraction utility for archives compressed in .zip format.
@@ -62,6 +63,9 @@ Package help includes man pages for unzip.
 %install
 %make_install -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT%{_mandir}/man1 INSTALL="cp -p"
 
+%check
+make check -f unix/Makefile
+
 %files
 %license LICENSE COPYING.OLD
 %doc README BUGS
@@ -71,7 +75,19 @@ Package help includes man pages for unzip.
 %{_mandir}/man1/*
 
 %changelog
-* Tues May 12 2021 openEuler hanzhelii <18221254@bjtu.edu.cn> - 6.0-46
+* Tue Sep 6 2022 dongyuzhen <dongyuzhen@h-partners.com> - 6.0-50
+- fix CVE-2021-4217
+
+* Tue May 10 2022 shixuantong <shixuantong@h-partners.com> - 6.0-49
+- enable check test suite
+
+* Wed Feb 23 2022 tianwei <tianwei@h-partners.com> - 6.0-48
+- fix CVE-2022-0529 CVE-2022-0530
+
+* Thu Jun 10 2021 shixuantong <shixuantong@huawei.com> - 6.0-47
+- add gcc to BuildRequires and revert unzip-6.0-crc-builtin.patch
+
+* Tue May 12 2021 openEuler hanzhelii <18221254@bjtu.edu.cn> - 6.0-46
 - add unzip-6.0-crc-builtin.patch
 
 * Mon Mar 2 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.0-45