Bug 259011
| Summary: | unzip omits a check for NULL and can cause pathdup() to seg-fault | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Robert Morris <rtm> | ||||||
| Component: | bin | Assignee: | Yoshihiro Takahashi <nyan> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Some People | CC: | ak, nyan | ||||||
| Priority: | --- | Keywords: | crash, easy, needs-patch, needs-qa | ||||||
| Version: | CURRENT | Flags: | nyan:
maintainer-feedback+
nyan: mfc-stable13+ nyan: mfc-stable12+ koobs: mfc-stable11- |
||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
Thank you for the report and test case Robert. unzip was synced from NetBSD about 12 days ago, so if this is reproducible in up to date CURRENT, we should probably get this reported, tracked and merged upstream too I think this is regression in the libarchive. The libarchive from 12-STABLE returns: $unzip -n - < unzip1.zip Archive: (null) unzip: Malformed extra data: Consumed 4598 bytes of 4600 bytes The fix for unzip is simple enough though, something like this (lightly tested). Created attachment 228533 [details]
Fix for pathdup()
I'll take. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2c614481fd5248c1685e713f67d40cf2d5fba494 commit 2c614481fd5248c1685e713f67d40cf2d5fba494 Author: Yoshihiro Takahashi <nyan@FreeBSD.org> AuthorDate: 2021-10-10 11:49:19 +0000 Commit: Yoshihiro Takahashi <nyan@FreeBSD.org> CommitDate: 2021-10-10 11:49:19 +0000 unzip: Fix segmentation fault if a zip file contains buggy filename. PR: 259011 Reported by: Robert Morris Submitted by: ak MFC after:: 1 week usr.bin/unzip/unzip.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) I've committed the patch with trivial changes to use the same check as bsdtar(1). Thank you. A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3bfe213143c562154e04d840380651f182df04de commit 3bfe213143c562154e04d840380651f182df04de Author: Yoshihiro Takahashi <nyan@FreeBSD.org> AuthorDate: 2021-10-10 11:49:19 +0000 Commit: Yoshihiro Takahashi <nyan@FreeBSD.org> CommitDate: 2021-10-18 11:16:02 +0000 unzip: Fix segmentation fault if a zip file contains buggy filename. PR: 259011 Reported by: Robert Morris Submitted by: ak (cherry picked from commit 2c614481fd5248c1685e713f67d40cf2d5fba494) usr.bin/unzip/unzip.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=94c3735b74f796a8b271091a8ebc276021345d79 commit 94c3735b74f796a8b271091a8ebc276021345d79 Author: Yoshihiro Takahashi <nyan@FreeBSD.org> AuthorDate: 2021-10-10 11:49:19 +0000 Commit: Yoshihiro Takahashi <nyan@FreeBSD.org> CommitDate: 2021-10-18 11:17:27 +0000 unzip: Fix segmentation fault if a zip file contains buggy filename. PR: 259011 Reported by: Robert Morris Submitted by: ak (cherry picked from commit 2c614481fd5248c1685e713f67d40cf2d5fba494) usr.bin/unzip/unzip.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) Fixed. |
Created attachment 228524 [details] A zip file that causes unzip to seg-fault. extract() in /usr/src/usr.bin/unzip/unzip.c says pathname = pathdup(archive_entry_pathname(e)); but archive_entry_pathname(e) can return NULL for some names, causing pathdup() to seg-fault. I've attached a demo zip file. % unzip -n - < unzip1.zip Archive: (null) Segmentation fault (core dumped) The backtrace: #0 0x00000008004ec25f in strlen () from /lib/libc.so.7 #1 0x0000000000205175 in pathdup (path=0x0) at /usr/src/usr.bin/unzip/unzip.c:209 #2 0x0000000000204c0c in extract (a=0x801018000, e=0x801012500) at /usr/src/usr.bin/unzip/unzip.c:695 #3 0x0000000000204314 in unzip (fn=0x0) at /usr/src/usr.bin/unzip/unzip.c:903 #4 0x000000000020395a in main (argc=3, argv=0x7fffffffe868) at /usr/src/usr.bin/unzip/unzip.c:1069