[unzip] [CVE-2008-0888] potential code execution

Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to
free() memory block pointed to by uninitialized pointer or memory block, which
was already freed. This can cause unzip to crash (SEGV) during extraction of
malicious zip file, possibly allowing code execution.

Further details from Tavis:

  the inflate_dynamic() routine (~978, inflate.c) uses a macro
  NEEDBITS() that jumps execution to a cleanup routine on error, this
  routine attempts to free() two buffers allocated during the inflate
  process. At certain locations, the NEEDBITS() macro is used while the
  pointers are not pointing to valid buffers, they are either
  uninitialised or pointing inside a block that has already been free()d
  (ie, not pointing at the block, but at a location inside it).

Acknowledgements:

Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.

Created attachment 293893
Patch against 5.5.2 proposed by Tavis

This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not
allow a free on an invalid pointer.

Tavis Ormandy writes:

the inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).

In both cases, the possibility of controlling either the pointer (eg,
by altering the unitialized data on the stack left over from some
previous subroutine call), or the buffer pointed at by the pointer, is
small but perhaps non-zero.

base-system, please find the patch attached. No upstream bump to be expected, smithj tried contacting them without success.

Created attachment 146443
unzip-5.5.2-CVE-2008-0888.patch

Courtesy of Tavis

(In reply to comment #1)
> smithj tried contacting them without success.

Yeah. Actually, if anyone has a contact for them, please pass this info along!

Public now:

http://taviso.decsystem.org/research.html
https://issues.rpath.com/browse/RPL-2317
http://marc.info/?l=full-disclosure&m=120579856512587&w=4

Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client
application DoS, which is not considered a security issue. I've filed tracking
bug for rawhide, so that this issue is addressed in future Fedora and Red Hat
Enterprise Linux versions.

i'd drop the last two hunks of that patch as one is simply whitespace change and the other is redundant -- huft_free() already performs the if(NULL) test

(In reply to comment #4)
> i'd drop the last two hunks of that patch as one is simply whitespace change
> and the other is redundant -- huft_free() already performs the if(NULL) test

sounds good, taviso complained about losing performance though ;-)

spanky, any updates here?

added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into the issue to verify correctness of the patch

(In reply to comment #7)
> added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into
> the issue to verify correctness of the patch

Couldn't reproduce the error with taviso's PoC.

Arches, please test and mark stable:
=app-arch/unzip-5.52-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

amd64 stable

x86 stable

ppc and ppc64 done

alpha/ia64/sparc stable

Stable for HPPA.

Fixed in release snapshot.

GLSA 200804-06.

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0196.html