[Bug 1643750] Re: Buffer Overflow in ZipInfo

Josef Möllers 1643750 at bugs.launchpad.net
Tue Feb 14 16:24:42 UTC 2017 

May I humbly offer the attached patch?
As the methbuf is used for display only, I have made it large enough to hold 'u' + an unsigned short (5 digits) + the trailing NUL character.

** Patch added: "cve-2016-9844.patch"
   https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750/+attachment/4818916/+files/cve-2016-9844.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unzip in Ubuntu.
https://bugs.launchpad.net/bugs/1643750

Title:
  Buffer Overflow in ZipInfo

Status in unzip package in Ubuntu:
  Triaged

Bug description:
  Hello,

  I am a security consultant and recently discovered this during some
  fuzzing exercises.

  A buffer overflow occurs in zipinfo (part of the unzip package) when
  the compression method in the central directory file header is greater
  then 999;

  user at lab:~$ lsb_release -rd
  Description:	Ubuntu 16.04.1 LTS
  Release:	16.04

  user at lab:~$ apt-cache policy unzip
  unzip:
    Installed: 6.0-20ubuntu1
    Candidate: 6.0-20ubuntu1
    Version table:
   *** 6.0-20ubuntu1 500
          500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status

  
  Here is an example output:

  user at lab:~$ zipinfo PoC.zip 
  Archive:  PoC.zip
  Zip file size: 154 bytes, number of entries: 1
  *** buffer overflow detected ***: zipinfo terminated
  ======= Backtrace: =========
  /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7fedfc07e5]
  /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f7fee06156c]
  /lib/x86_64-linux-gnu/libc.so.6(+0x116570)[0x7f7fee05f570]
  /lib/x86_64-linux-gnu/libc.so.6(+0x115ad9)[0x7f7fee05ead9]
  /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f7fedfc46b0]
  /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xc90)[0x7f7fedf96e00]
  /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f7fee05eb64]
  /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f7fee05eabd]
  zipinfo[0x41729b]
  zipinfo[0x41144a]
  zipinfo[0x411bdf]
  zipinfo[0x404191]
  /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7fedf69830]
  zipinfo[0x401fa9]
  ======= Memory map: ========
  00400000-00427000 r-xp 00000000 08:01 9176785                            /usr/bin/zipinfo
  00626000-00627000 r--p 00026000 08:01 9176785                            /usr/bin/zipinfo
  00627000-00628000 rw-p 00027000 08:01 9176785                            /usr/bin/zipinfo
  00628000-0071a000 rw-p 00000000 00:00 0 
  0207b000-0209c000 rw-p 00000000 00:00 0                                  [heap]
  7f7feda5b000-7f7feda71000 r-xp 00000000 08:01 6427015                    /lib/x86_64-linux-gnu/libgcc_s.so.1
  7f7feda71000-7f7fedc70000 ---p 00016000 08:01 6427015                    /lib/x86_64-linux-gnu/libgcc_s.so.1
  7f7fedc70000-7f7fedc71000 rw-p 00015000 08:01 6427015                    /lib/x86_64-linux-gnu/libgcc_s.so.1
  7f7fedc71000-7f7fedf49000 r--p 00000000 08:01 9176532                    /usr/lib/locale/locale-archive
  7f7fedf49000-7f7fee108000 r-xp 00000000 08:01 6426937                    /lib/x86_64-linux-gnu/libc-2.23.so
  7f7fee108000-7f7fee308000 ---p 001bf000 08:01 6426937                    /lib/x86_64-linux-gnu/libc-2.23.so
  7f7fee308000-7f7fee30c000 r--p 001bf000 08:01 6426937                    /lib/x86_64-linux-gnu/libc-2.23.so
  7f7fee30c000-7f7fee30e000 rw-p 001c3000 08:01 6426937                    /lib/x86_64-linux-gnu/libc-2.23.so
  7f7fee30e000-7f7fee312000 rw-p 00000000 00:00 0 
  7f7fee312000-7f7fee321000 r-xp 00000000 08:01 6426976                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
  7f7fee321000-7f7fee520000 ---p 0000f000 08:01 6426976                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
  7f7fee520000-7f7fee521000 r--p 0000e000 08:01 6426976                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
  7f7fee521000-7f7fee522000 rw-p 0000f000 08:01 6426976                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
  7f7fee522000-7f7fee548000 r-xp 00000000 08:01 6426917                    /lib/x86_64-linux-gnu/ld-2.23.so
  7f7fee729000-7f7fee72c000 rw-p 00000000 00:00 0 
  7f7fee744000-7f7fee747000 rw-p 00000000 00:00 0 
  7f7fee747000-7f7fee748000 r--p 00025000 08:01 6426917                    /lib/x86_64-linux-gnu/ld-2.23.so
  7f7fee748000-7f7fee749000 rw-p 00026000 08:01 6426917                    /lib/x86_64-linux-gnu/ld-2.23.so
  7f7fee749000-7f7fee74a000 rw-p 00000000 00:00 0 
  7fffad5d3000-7fffad5f4000 rw-p 00000000 00:00 0                          [stack]
  7fffad5f8000-7fffad5fa000 r--p 00000000 00:00 0                          [vvar]
  7fffad5fa000-7fffad5fc000 r-xp 00000000 00:00 0                          [vdso]
  ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

  I look forward to hearing from you,

  Alexis

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750/+subscriptions

More information about the foundations-bugs mailing list