[Bug 2060827] Re: zipinfo help exposes memory

Nicolas Devillers 2060827 at bugs.launchpad.net
Wed Apr 10 16:13:20 UTC 2024 

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unzip in Ubuntu.
https://bugs.launchpad.net/bugs/2060827

Title:
  zipinfo help exposes memory

Status in unzip package in Ubuntu:
  New

Bug description:
  For some reason, the patch 20-unzip60-alt-iconv-utf8.patch modify the
  ZipInfoUsageLine3 variable which contains a format string being used
  when invoking zipinfo without argument (or with -h / --help).

  
  ```
  +static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
  +  -h  print header line       -t  print totals for listed files or for all\n\
  +  -z  print zipfile comment  %c-T%c print file times in sortable decimal format\
  +\n %c-C%c be case-insensitive   %s\
  +  -x  exclude filenames that follow from listing\n\
  +  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\
  +  -I CHARSET  specify a character encoding for UNIX and other archives\n";

  ```

  The original value of ZipInfoUsageLine3 was:
  ```
  static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
    -h  print header line       -t  print totals for listed files or for all\n\
    -z  print zipfile comment   -T  print file times in sortable decimal format\
  \n  -C  be case-insensitive   %s\
    -x  exclude filenames that follow from listing\n";
  ```

  This odd addition of %c in the help message make the format string
  mismatch with the amount of provided arguments and expose memory when
  calling zipinfo.

  ```
  726d 6174 0a20 ff2d 4300 2062 6520 6361  rmat. .-C. be ca
  7365 2d69 6e73 656e 7369 7469 7665 2020  se-insensitive  
  2034 6cfe ffcc 69fe ffcc 69fe ffcc 69fe   4l...i...i...i.
  ff1c 6cfe fffc 6afe ffcc 69fe ffcc 69fe  ..l...j...i...i.
  ffcc 69fe ffcc 69fe ffcc 69fe ffcc 69fe  ..i...i...i...i.
  ffcc 69fe ffcc 69fe ffcc 69fe ffcc 69fe  ..i...i...i...i.
  ffcc 69fe ffcc 69fe ffcc 69fe ffcc 69fe  ..i...i...i...i.
  ffcc 69fe ffcc 69fe ffdc 6afe ffcc 69fe  ..i...i...j...i.
  ffcc 69fe ffcc 69fe ffcc 69fe ffcc 69fe  ..i...i...i...i.
  ff7c 6bfe ffcc 69fe ffcc 69fe ffcc 69fe  .|k...i...i...i.
  ff5c 6bfe ffcc 69fe ff3c 6cfe ffcc 69fe  .\k...i..<l...i.
  ffcc 69fe ffcc 69fe ffcc 69fe ff8c 6afe  ..i...i...i...j.
  ff1c 6bfe ffcc 69fe ff6c 6afe ffcc 69fe  ..k...i..lj...i.
  ffcc 69fe ffd2 69fe ffcc 69fe ffcc 69fe  ..i...i...i...i.
  ffcc 69fe ffcc 69fe ffcc 69fe ffcc 69fe  ..i...i...i...i.
  ffcc 69fe ffcc 69fe ffcc 69fe ffcc 69fe  ..i...i...i...i.
  ffcc 69fe ffcc 69fe ffcc 69fe fffc 69fe  ..i...i...i...i.
  ffcc 69fe ffcc 69fe ffcc 69fe fffc 6bfe  ..i...i...i...k.
  ff44 6bfe ffcc 69fe ffcc 69fe ffcc 69fe  .Dk...i...i...i.
  ffcc 69fe ffcc 69fe ffdc 6bfe ffac 6afe  ..i...i...k...j.
  ffcc 69fe ff4c 6afe ffcc 69fe ffcc 69fe  ..i..Lj...i...i.
  ffcc 69fe ff2c 6afe ff06 8dfe ff23 85fe  ..i..,j......#..

  ```

  Although as it stands the impact seems extremely low, it is not
  completely unimaginable that there is a context where this bug could
  be used or could have been used in association with another bug.

  surprisingly this blatant bug is present in the patch which was
  applied in particular to ubuntu, redhat and arch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/2060827/+subscriptions

More information about the foundations-bugs mailing list