[Bug 1643750] Re: Buffer Overflow in ZipInfo
Launchpad Bug Tracker
1643750 at bugs.launchpad.net
Wed Dec 16 14:35:14 UTC 2020
This bug was fixed in the package unzip - 6.0-20ubuntu1.1
---------------
unzip (6.0-20ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: buffer overflow in unzip (LP: #387350)
- debian/patches/17-cve-2014-9913-unzip-buffer-overflow: Accommodate
printing an oversized compression method number in list.c.
- CVE-2014-9913
* SECURITY UPDATE: buffer overflow in zipinfo (LP: #1643750)
- debian/patches/18-cve-2016-9844-zipinfo-buffer-overflow: Accommodate an
oversized compression method number in zipinfo.c.
- CVE-2016-9844
* SECURITY UPDATE: buffer overflow in password protected ZIP archives
- debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch: Perform
check before allocating memory in fileio.c.
- CVE-2018-1000035
* SECURITY UPDATE: denial of service (resource consumption)
- debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug
in undefer_input() of fileio.c that misplaced the input state.
- debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch:
Detect and reject a zip bomb using overlapped entries.
- debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch:
Do not raise a zip bomb alert for a misplaced central directory.
- CVE-2019-13232
-- Avital Ostromich <avital.ostromich at canonical.com> Wed, 25 Nov 2020
20:01:25 -0500
** Changed in: unzip (Ubuntu)
Status: Triaged => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9913
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000035
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13232
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unzip in Ubuntu.
https://bugs.launchpad.net/bugs/1643750
Title:
Buffer Overflow in ZipInfo
Status in unzip package in Ubuntu:
Fix Released
Bug description:
Hello,
I am a security consultant and recently discovered this during some
fuzzing exercises.
A buffer overflow occurs in zipinfo (part of the unzip package) when
the compression method in the central directory file header is greater
then 999;
user at lab:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
user at lab:~$ apt-cache policy unzip
unzip:
Installed: 6.0-20ubuntu1
Candidate: 6.0-20ubuntu1
Version table:
*** 6.0-20ubuntu1 500
500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
Here is an example output:
user at lab:~$ zipinfo PoC.zip
Archive: PoC.zip
Zip file size: 154 bytes, number of entries: 1
*** buffer overflow detected ***: zipinfo terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7fedfc07e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f7fee06156c]
/lib/x86_64-linux-gnu/libc.so.6(+0x116570)[0x7f7fee05f570]
/lib/x86_64-linux-gnu/libc.so.6(+0x115ad9)[0x7f7fee05ead9]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f7fedfc46b0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xc90)[0x7f7fedf96e00]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f7fee05eb64]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f7fee05eabd]
zipinfo[0x41729b]
zipinfo[0x41144a]
zipinfo[0x411bdf]
zipinfo[0x404191]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7fedf69830]
zipinfo[0x401fa9]
======= Memory map: ========
00400000-00427000 r-xp 00000000 08:01 9176785 /usr/bin/zipinfo
00626000-00627000 r--p 00026000 08:01 9176785 /usr/bin/zipinfo
00627000-00628000 rw-p 00027000 08:01 9176785 /usr/bin/zipinfo
00628000-0071a000 rw-p 00000000 00:00 0
0207b000-0209c000 rw-p 00000000 00:00 0 [heap]
7f7feda5b000-7f7feda71000 r-xp 00000000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7feda71000-7f7fedc70000 ---p 00016000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7fedc70000-7f7fedc71000 rw-p 00015000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7fedc71000-7f7fedf49000 r--p 00000000 08:01 9176532 /usr/lib/locale/locale-archive
7f7fedf49000-7f7fee108000 r-xp 00000000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee108000-7f7fee308000 ---p 001bf000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee308000-7f7fee30c000 r--p 001bf000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee30c000-7f7fee30e000 rw-p 001c3000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee30e000-7f7fee312000 rw-p 00000000 00:00 0
7f7fee312000-7f7fee321000 r-xp 00000000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee321000-7f7fee520000 ---p 0000f000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee520000-7f7fee521000 r--p 0000e000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee521000-7f7fee522000 rw-p 0000f000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee522000-7f7fee548000 r-xp 00000000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee729000-7f7fee72c000 rw-p 00000000 00:00 0
7f7fee744000-7f7fee747000 rw-p 00000000 00:00 0
7f7fee747000-7f7fee748000 r--p 00025000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee748000-7f7fee749000 rw-p 00026000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee749000-7f7fee74a000 rw-p 00000000 00:00 0
7fffad5d3000-7fffad5f4000 rw-p 00000000 00:00 0 [stack]
7fffad5f8000-7fffad5fa000 r--p 00000000 00:00 0 [vvar]
7fffad5fa000-7fffad5fc000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
I look forward to hearing from you,
Alexis
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750/+subscriptions
More information about the foundations-bugs
mailing list