2044583 – (CVE-2021-4217) CVE-2021-4217 unzip: Null pointer dereference in Unicode strings code

Bug 2044583 (CVE-2021-4217) - CVE-2021-4217 unzip: Null pointer dereference in Unicode strings code

Summary: CVE-2021-4217 unzip: Null pointer dereference in Unicode strings code

Keywords:
Status:	NEW
Alias:	CVE-2021-4217
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat2046949 2046940 Red Hat2046947
Blocks:	Embargoed2044584
TreeView+	depends on / blocked

Reported:	2022-01-24 19:16 UTC by Pedro Sampaio
Modified:	2022-11-29 17:25 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2022-01-24 19:16:08 UTC

A null pointer dereference was found in unzip. The bug appears to be located in the code responsible for handling Unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors.

References:

https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077

Comment 3 Sandipan Roy 2022-01-27 09:44:19 UTC

Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 2046940]

Comment 5 Joshua Mulliken 2022-01-31 19:18:06 UTC

The unzip command is not used to provide any of our services. The services that work with zip archives utilize libraries that are specific to their language. AFAIK this tool does not provide a widely used library.

Note You need to log in before you can comment on or make changes to this bug.