oss-sec mailing list archives
Re: CVE Request: Info-Zip zipinfo buffer overflow
From: Tyler Hicks <tyhicks () canonical com>
Date: Mon, 5 Dec 2016 16:18:37 -0600
On 12/05/2016 03:50 PM, Steven M. Schweda wrote:
From: Tyler Hicks <tyhicks () canonical com> Thanks for the (thorough, helpful) report.
I appreciate it but Alexis deserves most of the credit.
Alexis Vanden Eijnde has discovered a zipinfo buffer overflow and reported it here: https://launchpad.net/bugs/1643750 It is very similar to, but different than, this `unzip -l` crasher: http://www.openwall.com/lists/oss-security/2014/11/03/5It is. And the easy fix is also very similar (and should appear in the next UnZip release, version 6.1e beta):
Thanks for the quick fix. Is there a public code repository available so that we can reference a specific commit that fixes this issue?
ALP $ gdiff zipinfo.c;39 zipinfo.c 2568c2568,2579 < sprintf(&methbuf[1], "%03u", G.crec.compression_method); ---/* 2016-12-05 SMS. * https://launchpad.net/bugs/1643750 * Unexpectedly large compression methods overflow * &methbuf[]. Use the old, three-digit decimal format * for values which fit. Otherwise, sacrifice the "u", * and use four-digit hexadecimal. */ if (G.crec.compression_method <= 999) { sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); } else { sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); }Typical output (pre-release UnZip 6.1e beta, with some minor, unrelated report format changes from UnZip 6.0): Old: ALP $ unzip6l -Z PoZ.zip Archive: ALP$DKC0:[UTILITY.SOURCE.ZIP.test_mthd_ovflo]PoZ.zip;1 Zip file size: 154 bytes, number of entries: 1 -rw-rw-r-- 3.0 unx 2 tx u65535 16-Nov-21 19:07 a ^^^^^^ 1 file, 2 bytes uncompressed, 2 bytes compressed: 0.0% New/next: ALP $ unzipx -Z PoZ.zip Archive: ALP$DKC0:[UTILITY.SOURCE.ZIP.test_mthd_ovflo]PoZ.zip;1 Archive size: 154 bytes; Members: 1 -rw-rw-r-- 3.0 unx 2 tx FFFF 16-Nov-21 19:07 a ^^^^ Members: 1; Bytes uncompressed: 2, compressed: 2, 0.0% Directories: 0, Files: 1, Links: 0The zipinfo buffer overflow occurs due to a flaw in zipinfo.c's zi_short() function: [...]Yeah. We should have noticed this whan the "unzip -l" complaint was made.Please assign a CVE. Also, consider assigning a CVE to the related `unzip -l` issue from 2014. Thank you!Is that something I should do? (I normally get reports with CVEs; I have never created one.)
Nope. As you probably noticed, MITRE just assigned a CVE. It likely helped that you confirmed the issue. Thanks again! Tyler
------------------------------------------------------------------------ Steven M. Schweda sms@antinode-info
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: Info-Zip zipinfo buffer overflow Tyler Hicks (Dec 05)
- Re: CVE Request: Info-Zip zipinfo buffer overflow cve-assign (Dec 05)
- <Possible follow-ups>
- CVE Request: Info-Zip zipinfo buffer overflow Steven M. Schweda (Dec 05)
- Re: CVE Request: Info-Zip zipinfo buffer overflow Tyler Hicks (Dec 05)
- Re: CVE Request: Info-Zip zipinfo buffer overflow Steven M. Schweda (Dec 05)