[Bug 203461] Re: [unzip] [CVE-2008-0888] potential code execution
Bug Watch Updater
203461 at bugs.launchpad.net
Fri Oct 27 14:49:08 UTC 2017
Launchpad has imported 6 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=431438.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2008-02-04T15:16:58+00:00 Tomas wrote:
Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to
free() memory block pointed to by uninitialized pointer or memory block, which
was already freed. This can cause unzip to crash (SEGV) during extraction of
malicious zip file, possibly allowing code execution.
Further details from Tavis:
the inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).
Acknowledgements:
Red Hat would like to thank Tavis Ormandy of the Google Security Team
for reporting this issue.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/0
------------------------------------------------------------------------
On 2008-02-04T15:20:50+00:00 Tomas wrote:
Created attachment 293893
Patch against 5.5.2 proposed by Tavis
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/1
------------------------------------------------------------------------
On 2008-03-07T13:35:22+00:00 Josh wrote:
This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not
allow a free on an invalid pointer.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/2
------------------------------------------------------------------------
On 2008-03-18T07:30:08+00:00 Tomas wrote:
Public now:
http://taviso.decsystem.org/research.html
https://issues.rpath.com/browse/RPL-2317
http://marc.info/?l=full-disclosure&m=120579856512587&w=4
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/3
------------------------------------------------------------------------
On 2008-03-18T07:55:10+00:00 Tomas wrote:
Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client
application DoS, which is not considered a security issue. I've filed tracking
bug for rawhide, so that this issue is addressed in future Fedora and Red Hat
Enterprise Linux versions.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/4
------------------------------------------------------------------------
On 2008-07-25T08:27:58+00:00 Red wrote:
This issue was addressed in:
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2008-0196.html
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/8
** Changed in: unzip (Fedora)
Importance: Unknown => Medium
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unzip in Ubuntu.
https://bugs.launchpad.net/bugs/203461
Title:
[unzip] [CVE-2008-0888] potential code execution
Status in unzip package in Ubuntu:
Fix Released
Status in unzip package in Fedora:
Fix Released
Status in unzip package in Gentoo Linux:
Fix Released
Status in unzip package in Mandriva:
Unknown
Bug description:
Binary package hint: unzip
References:
DSA 1522-1 (http://www.debian.org/security/2008/dsa-1522)
Quoting:
"Tavis Ormandy discovered that unzip, when processing specially crafted
ZIP archives, could pass invalid pointers to the C library's free
routine, potentially leading to arbitrary code execution"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/+subscriptions
More information about the foundations-bugs
mailing list