[Bug 1660744] Re: Buffer overflow in zip

Tyler Hicks tyhicks at canonical.com
Fri Feb 3 16:24:39 UTC 2017 

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Attackers wouldn't typically have the ability to directly influence the
command line arguments and, in this case, it doesn't seem to matter if
they did since the crash happens early on in the argument parsing code.
Please feel free to report any other bugs you may find.

I've confirmed this bug using zip 3.0-11 in Ubuntu 16.10.

** Package changed: ubuntu => zip (Ubuntu)

** Changed in: zip (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: zip (Ubuntu)
       Status: New => Confirmed

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to zip in Ubuntu.
https://bugs.launchpad.net/bugs/1660744

Title:
  Buffer overflow in zip

Status in zip package in Ubuntu:
  Confirmed

Bug description:
  Running zip in 16.10 or 16.04 with specific args leads to a buffer
  overflow

  Run the following

  zip --out

  Any arguments in between can be added.

  
  *** buffer overflow detected ***: zip terminated
  ======= Backtrace: =========
  /lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f1d516b4725]
  /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f1d5175589c]
  /lib/x86_64-linux-gnu/libc.so.6(+0x1168a0)[0x7f1d517538a0]
  /lib/x86_64-linux-gnu/libc.so.6(+0x115e09)[0x7f1d51752e09]
  /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f1d516b85e0]
  /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x139b)[0x7f1d5168b4cb]
  /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f1d51752e94]
  /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f1d51752ded]
  zip[0x413941]
  zip[0x4194f3]
  zip[0x40280a]
  /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f1d5165d830]
  zip[0x408529]
  ======= Memory map: ========
  00400000-0042c000 r-xp 00000000 fd:01 689734                             /usr/bin/zip
  0062c000-0062d000 r--p 0002c000 fd:01 689734                             /usr/bin/zip
  0062d000-0062f000 rw-p 0002d000 fd:01 689734                             /usr/bin/zip
  0062f000-0067e000 rw-p 00000000 00:00 0 
  00839000-0085a000 rw-p 00000000 00:00 0                                  [heap]
  7f1d51107000-7f1d5111d000 r-xp 00000000 fd:01 914015                     /lib/x86_64-linux-gnu/libgcc_s.so.1
  7f1d5111d000-7f1d5131c000 ---p 00016000 fd:01 914015                     /lib/x86_64-linux-gnu/libgcc_s.so.1
  7f1d5131c000-7f1d5131d000 rw-p 00015000 fd:01 914015                     /lib/x86_64-linux-gnu/libgcc_s.so.1
  7f1d5131d000-7f1d5163d000 r--p 00000000 fd:01 652956                     /usr/lib/locale/locale-archive
  7f1d5163d000-7f1d517fd000 r-xp 00000000 fd:01 913986                     /lib/x86_64-linux-gnu/libc-2.23.so
  7f1d517fd000-7f1d519fc000 ---p 001c0000 fd:01 913986                     /lib/x86_64-linux-gnu/libc-2.23.so
  7f1d519fc000-7f1d51a00000 r--p 001bf000 fd:01 913986                     /lib/x86_64-linux-gnu/libc-2.23.so
  7f1d51a00000-7f1d51a02000 rw-p 001c3000 fd:01 913986                     /lib/x86_64-linux-gnu/libc-2.23.so
  7f1d51a02000-7f1d51a06000 rw-p 00000000 00:00 0 
  7f1d51a06000-7f1d51a15000 r-xp 00000000 fd:01 913943                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
  7f1d51a15000-7f1d51c14000 ---p 0000f000 fd:01 913943                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
  7f1d51c14000-7f1d51c15000 r--p 0000e000 fd:01 913943                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
  7f1d51c15000-7f1d51c16000 rw-p 0000f000 fd:01 913943                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
  7f1d51c16000-7f1d51c3c000 r-xp 00000000 fd:01 913967                     /lib/x86_64-linux-gnu/ld-2.23.so
  7f1d51e30000-7f1d51e33000 rw-p 00000000 00:00 0 
  7f1d51e38000-7f1d51e3b000 rw-p 00000000 00:00 0 
  7f1d51e3b000-7f1d51e3c000 r--p 00025000 fd:01 913967                     /lib/x86_64-linux-gnu/ld-2.23.so
  7f1d51e3c000-7f1d51e3d000 rw-p 00026000 fd:01 913967                     /lib/x86_64-linux-gnu/ld-2.23.so
  7f1d51e3d000-7f1d51e3e000 rw-p 00000000 00:00 0 
  7ffc5acca000-7ffc5aceb000 rw-p 00000000 00:00 0                          [stack]
  7ffc5adb3000-7ffc5adb5000 r--p 00000000 00:00 0                          [vvar]
  7ffc5adb5000-7ffc5adb7000 r-xp 00000000 00:00 0                          [vdso]
  ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

  
  zip error: Interrupted (aborting)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zip/+bug/1660744/+subscriptions

More information about the foundations-bugs mailing list