[WIP] unzip: CVE-2019-13232 (release-19.03)

[mmahut]

Motivation for this change

Fixes #64663.
(cherry picked from commit 2868c75)

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

---

[FRidh]

Please perform the cherry pick after the original changeset is accepted. The motivation is that we/I typically pull requests instead of merge them.

[mmahut]

@FRidh, ack I will, thank you.

[risicle]

Again, would this be better aimed at staging-19.03 given the hugeness of the rebuild?

[vcunat]

I wouldn't hurry with backporting this, as I see it causes multiple regressions.

[FRidh]

the cherry-pick -x reference is not correct

[mmahut]

I wouldn't hurry with backporting this, as I see it causes multiple regressions.

I agree, setting up as [WIP] until we fix the regression. At the moment I know of only one, haskell.zip-archiver is using a zip archive in their tests that this patch detects as a zip bomb, reported upstream and being discussed if we disable tests for this package until this is fixed upstream.

[vcunat]

Here's the other I've seen: 0238946#commitcomment-34378254

[mmahut]

Thanks to @vcunat the docbook5 regression has been fixed by upgrading the package from 5.0 to 5.0.1.

The question is, how we want to approach this in release-19.03 and if this CVE severity outweighs updating docbook5 and haskellPackages.zip-archive (regressions found so far) in the stable release branch? My option would be probably not, but it's up to the security team to make this call I think.

[vcunat]

For unzipping sources we could have an unpatched variant that's explicitly chosen in the problematic cases. EDIT: but in general this CVE doesn't seem serious to me.

[mmahut]

For unzipping sources we could have an unpatched variant that's explicitly chosen in the problematic cases. EDIT: but in general this CVE doesn't seem serious to me.

That would work for packages with fetchzip but would not fix haskellPackages.zip-archive which uses unzip for its tests. I have a commit in to disable the tests for that package, but just need someone to review/approve it. mmahut@d6059ae

[mmahut]

After considering the severity of this CVE along with the fixes needed to 19.03 to fix the regressions I think it's not worth backporting this CVE.

[vcunat]

I see many lua's *.rock files fail due to this. In our builds it shows as

Error: Failed unpacking rock file: /build/compat53-0.7-1.src.rock: failed extracting /build/compat53-0.7-1.src.rock

[madler]

@vcnuat Can you provide a link to some of these "rock" files that are failing?

[vcunat]

@madler: I'm sorry; it seems likely that the vast majority of these are our mistake of not reading your commit message properly. This particular one does succeed when using both of the patches.

[madler]

Does "vast majority" mean that there are still some that indicate overlapped entries that you think is incorrect?

[vcunat]

I'm not aware of any at this moment. When I see some, I'll mention you. I expect we will soon try a full rebuild with a complete set of patches.