[Bug 203461] Re: [unzip] [CVE-2008-0888] potential code execution
Bug Watch Updater
203461 at bugs.launchpad.net
Tue Apr 7 18:13:49 UTC 2020
Launchpad has imported 17 comments from the remote bug at
https://bugs.gentoo.org/show_bug.cgi?id=213761.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2008-03-18T01:32:50+00:00 rbu wrote:
Tavis Ormandy writes:
the inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).
In both cases, the possibility of controlling either the pointer (eg,
by altering the unitialized data on the stack left over from some
previous subroutine call), or the buffer pointed at by the pointer, is
small but perhaps non-zero.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/3
------------------------------------------------------------------------
On 2008-03-18T01:34:02+00:00 rbu wrote:
base-system, please find the patch attached. No upstream bump to be
expected, smithj tried contacting them without success.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/4
------------------------------------------------------------------------
On 2008-03-18T01:34:49+00:00 rbu wrote:
Created attachment 146443
unzip-5.5.2-CVE-2008-0888.patch
Courtesy of Tavis
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/5
------------------------------------------------------------------------
On 2008-03-18T04:44:31+00:00 smithj wrote:
(In reply to comment #1)
> smithj tried contacting them without success.
Yeah. Actually, if anyone has a contact for them, please pass this info
along!
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/6
------------------------------------------------------------------------
On 2008-03-18T11:28:10+00:00 vapier wrote:
i'd drop the last two hunks of that patch as one is simply whitespace
change and the other is redundant -- huft_free() already performs the
if(NULL) test
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/10
------------------------------------------------------------------------
On 2008-03-18T12:16:54+00:00 rbu wrote:
(In reply to comment #4)
> i'd drop the last two hunks of that patch as one is simply whitespace change
> and the other is redundant -- huft_free() already performs the if(NULL) test
sounds good, taviso complained about losing performance though ;-)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/11
------------------------------------------------------------------------
On 2008-03-27T21:13:08+00:00 rbu wrote:
spanky, any updates here?
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/14
------------------------------------------------------------------------
On 2008-03-29T02:37:54+00:00 vapier wrote:
added unzip-5.5.2-r2 to the tree w/the patch ... not that i really
looked into the issue to verify correctness of the patch
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/15
------------------------------------------------------------------------
On 2008-03-29T10:04:45+00:00 rbu wrote:
(In reply to comment #7)
> added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into
> the issue to verify correctness of the patch
Couldn't reproduce the error with taviso's PoC.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/16
------------------------------------------------------------------------
On 2008-03-29T10:05:17+00:00 rbu wrote:
Arches, please test and mark stable:
=app-arch/unzip-5.52-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Reply at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/17
------------------------------------------------------------------------
On 2008-03-29T10:12:43+00:00 rbu wrote:
amd64 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/18
------------------------------------------------------------------------
On 2008-03-29T11:15:45+00:00 fauli wrote:
x86 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/19
------------------------------------------------------------------------
On 2008-03-29T15:33:03+00:00 ranger wrote:
ppc and ppc64 done
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/20
------------------------------------------------------------------------
On 2008-03-29T16:06:31+00:00 armin76 wrote:
alpha/ia64/sparc stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/21
------------------------------------------------------------------------
On 2008-03-29T16:57:02+00:00 jer wrote:
Stable for HPPA.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/22
------------------------------------------------------------------------
On 2008-03-30T11:41:42+00:00 pva wrote:
Fixed in release snapshot.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/23
------------------------------------------------------------------------
On 2008-04-06T17:20:59+00:00 rbu wrote:
GLSA 200804-06.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/24
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unzip in Ubuntu.
https://bugs.launchpad.net/bugs/203461
Title:
[unzip] [CVE-2008-0888] potential code execution
Status in unzip package in Ubuntu:
Fix Released
Status in unzip package in Fedora:
Fix Released
Status in unzip package in Gentoo Linux:
Fix Released
Status in unzip package in Mandriva:
Unknown
Bug description:
Binary package hint: unzip
References:
DSA 1522-1 (http://www.debian.org/security/2008/dsa-1522)
Quoting:
"Tavis Ormandy discovered that unzip, when processing specially crafted
ZIP archives, could pass invalid pointers to the C library's free
routine, potentially leading to arbitrary code execution"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/+subscriptions
More information about the foundations-bugs
mailing list