[unzip] [CVE-2008-0888] potential code execution
Bug #203461 reported by
disabled.user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unzip (Fedora) |
Fix Released
|
Medium
|
|||
unzip (Gentoo Linux) |
Fix Released
|
Medium
|
|||
unzip (Mandriva) |
Unknown
|
Unknown
|
|||
unzip (Ubuntu) |
Fix Released
|
Undecided
|
Kees Cook |
Bug Description
Binary package hint: unzip
References:
DSA 1522-1 (http://
Quoting:
"Tavis Ormandy discovered that unzip, when processing specially crafted
ZIP archives, could pass invalid pointers to the C library's free
routine, potentially leading to arbitrary code execution"
CVE References
Changed in unzip: | |
status: | Unknown → In Progress |
Changed in unzip: | |
status: | Unknown → Invalid |
Changed in unzip: | |
status: | In Progress → Fix Released |
Changed in unzip: | |
status: | Invalid → Unknown |
Changed in unzip: | |
status: | Unknown → Fix Released |
Changed in unzip (Gentoo Linux): | |
importance: | Unknown → Medium |
Changed in unzip (Fedora): | |
importance: | Unknown → Medium |
To post a comment you must log in.
Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to
free() memory block pointed to by uninitialized pointer or memory block, which
was already freed. This can cause unzip to crash (SEGV) during extraction of
malicious zip file, possibly allowing code execution.
Further details from Tavis:
the inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).
Acknowledgements:
Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.