[Bug 1824530] Re: Heap Buffer Overflow in UzpPassword

Dominik Viererbe 1824530 at bugs.launchpad.net
Thu Jun 1 13:20:34 UTC 2023 

The patch for this bug is present in the unzip package for focal, jammy, kinetic, lunar, mantic.
The patch for this bug is NOT present in the unzip package for trusty, xenial, bionic.

bionic reaches end of standard support this month, so we should set this
to won't fix.

BUT

bionic is in extended security maintenance until April 2028 
xenial is in extended security maintenance until April 2026
trusty is in extended security maintenance until April 2024

Because this is related to a CVE this should be covered by ESM.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unzip in Ubuntu.
https://bugs.launchpad.net/bugs/1824530

Title:
  Heap Buffer Overflow in UzpPassword

Status in unzip package in Ubuntu:
  Confirmed

Bug description:
  Distributor ID:	Ubuntu
  Description:	Ubuntu 18.04.2 LTS
  Release:	18.04
  Codename:	bionic

  unzip:
    Installed: 6.0-21ubuntu1
    Candidate: 6.0-21ubuntu1

  The current version of unzip will crash with a heap overflow. I have
  attached crash.zip to reproduce the issue. Normal unpacking or testing
  the archive with -t argument is enough to trigger the bug. This is the
  only place that I have reported the issue to.

  ASAN:
  ==13994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000490f at pc 0x7f6f788eb8f9 bp 0x7ffd1c67ec30 sp 0x7ffd1c67e3c0
  WRITE of size 8210 at 0x62500000490f thread T0
      #0 0x7f6f788eb8f8 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)
      #1 0x7f6f788ebc86 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)
      #2 0x55b5a10ccc87 in UzpPassword fileio.c:1594
      #3 0x55b5a1097ddb in decrypt crypt.c:513
      #4 0x55b5a10b6f2e in extract_or_test_entrylist extract.c:1284
      #5 0x55b5a10b6f2e in extract_or_test_files extract.c:586
      #6 0x55b5a1101f24 in do_seekable process.c:987
      #7 0x55b5a1108e56 in process_zipfiles process.c:401
      #8 0x55b5a1093566 in unzip unzip.c:1278
      #9 0x7f6f7826db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
      #10 0x55b5a108afb9 in _start (/home/user/unzip-asan/unzip-6.0/unzip+0x17fb9)

  0x62500000490f is located 0 bytes to the right of 8207-byte region [0x625000002900,0x62500000490f)
  allocated by thread T0 here:
      #0 0x7f6f7892bb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
      #1 0x55b5a10ccbfc in UzpPassword fileio.c:1593

  SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) in __interceptor_vsprintf
  Shadow bytes around the buggy address:
    0x0c4a7fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c4a7fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c4a7fff88f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c4a7fff8900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0c4a7fff8910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x0c4a7fff8920: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    0x0c4a7fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:           00
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone:       fa
    Freed heap region:       fd
    Stack left redzone:      f1
    Stack mid redzone:       f2
    Stack right redzone:     f3
    Stack after return:      f5
    Stack use after scope:   f8
    Global redzone:          f9
    Global init order:       f6
    Poisoned by user:        f7
    Container overflow:      fc
    Array cookie:            ac
    Intra object redzone:    bb
    ASan internal:           fe
    Left alloca redzone:     ca
    Right alloca redzone:    cb
  ==13994==ABORTING

  GDB:
  *** buffer overflow detected ***: /home/user/unzip-dbg/unzip-6.0/unzip terminated

  Program received signal SIGABRT, Aborted.
  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
  51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  (gdb) bt
  #0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
  #1  0x00007ffff7814801 in __GI_abort () at abort.c:79
  #2  0x00007ffff785d897 in __libc_message (action=action at entry=(do_abort | do_backtrace), 
      fmt=fmt at entry=0x7ffff798a988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
  #3  0x00007ffff7908cff in __GI___fortify_fail_abort (need_backtrace=need_backtrace at entry=true, 
      msg=msg at entry=0x7ffff798a905 "buffer overflow detected") at fortify_fail.c:33
  #4  0x00007ffff7908d21 in __GI___fortify_fail (msg=msg at entry=0x7ffff798a905 "buffer overflow detected")
      at fortify_fail.c:44
  #5  0x00007ffff7906a10 in __GI___chk_fail () at chk_fail.c:28
  #6  0x00007ffff7905f29 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
  #7  0x00007ffff7862494 in __GI__IO_default_xsputn (f=0x7fffffffd8b0, data=<optimized out>, n=11)
      at genops.c:417
  #8  0x00007ffff782f9aa in _IO_vfprintf_internal (s=s at entry=0x7fffffffd8b0, 
      format=format at entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ", ap=ap at entry=0x7fffffffd9f0)
      at vfprintf.c:1674
  #9  0x00007ffff7905fcb in ___vsprintf_chk (
      s=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=1, slen=8207, format=0x555555578b90 <PasswPrompt> "[%s] %s password: ", 
      args=args at entry=0x7fffffffd9f0) at vsprintf_chk.c:82
  #10 0x00007ffff7905efa in ___sprintf_chk (
      s=s at entry=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=flags at entry=1, slen=slen at entry=8207, 
      format=format at entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ") at sprintf_chk.c:31
  #11 0x0000555555562c95 in sprintf (__fmt=<synthetic pointer>, 
      __s=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"...) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
  #12 UzpPassword (pG=<optimized out>, rcnt=<optimized out>, pwbuf=0x555555890280 '\a' <repeats 88 times>, "! ", 
      size=81, zfn=0x5555558715c0 <G+988384> "crash.zip", 
      efn=0x555555870420 <G+983872> "dri", '\a' <repeats 197 times>...) at fileio.c:1594
  ---Type <return> to continue, or q <return> to quit---
  #13 0x000055555555adf3 in decrypt (passwrd=<optimized out>) at crypt.c:513
  #14 0x000055555555de54 in extract_or_test_entrylist (numchunk=numchunk at entry=1, 
      pfilnum=pfilnum at entry=0x7fffffffdc58, pnum_bad_pwd=pnum_bad_pwd at entry=0x7fffffffdc60, 
      pold_extra_bytes=pold_extra_bytes at entry=0x7fffffffdc68, pnum_dirs=pnum_dirs at entry=0x7fffffffdc54, 
      pdirlist=pdirlist at entry=0x7fffffffdc70, error_in_archive=51) at extract.c:1284
  #15 0x0000555555560488 in extract_or_test_files () at extract.c:586
  #16 0x00005555555682b2 in do_seekable (lastchance=lastchance at entry=0) at process.c:987
  #17 0x00005555555691f7 in process_zipfiles () at process.c:401
  #18 0x000055555555a58e in unzip (argc=<optimized out>, argv=<optimized out>) at unzip.c:1278
  #19 0x00007ffff77f5b97 in __libc_start_main (main=0x555555558190 <main>, argc=3, argv=0x7fffffffdf28, 
      init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf18)
      at ../csu/libc-start.c:310
  #20 0x00005555555581da in _start ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1824530/+subscriptions

More information about the foundations-bugs mailing list