Buffer Overflow in ZipInfo

Bug #1643750 reported by alexis
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unzip (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Hello,

I am a security consultant and recently discovered this during some fuzzing exercises.

A buffer overflow occurs in zipinfo (part of the unzip package) when the compression method in the central directory file header is greater then 999;

user@lab:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

user@lab:~$ apt-cache policy unzip
unzip:
  Installed: 6.0-20ubuntu1
  Candidate: 6.0-20ubuntu1
  Version table:
 *** 6.0-20ubuntu1 500
        500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

Here is an example output:

user@lab:~$ zipinfo PoC.zip
Archive: PoC.zip
Zip file size: 154 bytes, number of entries: 1
*** buffer overflow detected ***: zipinfo terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7fedfc07e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f7fee06156c]
/lib/x86_64-linux-gnu/libc.so.6(+0x116570)[0x7f7fee05f570]
/lib/x86_64-linux-gnu/libc.so.6(+0x115ad9)[0x7f7fee05ead9]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f7fedfc46b0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xc90)[0x7f7fedf96e00]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f7fee05eb64]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f7fee05eabd]
zipinfo[0x41729b]
zipinfo[0x41144a]
zipinfo[0x411bdf]
zipinfo[0x404191]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7fedf69830]
zipinfo[0x401fa9]
======= Memory map: ========
00400000-00427000 r-xp 00000000 08:01 9176785 /usr/bin/zipinfo
00626000-00627000 r--p 00026000 08:01 9176785 /usr/bin/zipinfo
00627000-00628000 rw-p 00027000 08:01 9176785 /usr/bin/zipinfo
00628000-0071a000 rw-p 00000000 00:00 0
0207b000-0209c000 rw-p 00000000 00:00 0 [heap]
7f7feda5b000-7f7feda71000 r-xp 00000000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7feda71000-7f7fedc70000 ---p 00016000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7fedc70000-7f7fedc71000 rw-p 00015000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7fedc71000-7f7fedf49000 r--p 00000000 08:01 9176532 /usr/lib/locale/locale-archive
7f7fedf49000-7f7fee108000 r-xp 00000000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee108000-7f7fee308000 ---p 001bf000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee308000-7f7fee30c000 r--p 001bf000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee30c000-7f7fee30e000 rw-p 001c3000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee30e000-7f7fee312000 rw-p 00000000 00:00 0
7f7fee312000-7f7fee321000 r-xp 00000000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee321000-7f7fee520000 ---p 0000f000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee520000-7f7fee521000 r--p 0000e000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee521000-7f7fee522000 rw-p 0000f000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee522000-7f7fee548000 r-xp 00000000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee729000-7f7fee72c000 rw-p 00000000 00:00 0
7f7fee744000-7f7fee747000 rw-p 00000000 00:00 0
7f7fee747000-7f7fee748000 r--p 00025000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee748000-7f7fee749000 rw-p 00026000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee749000-7f7fee74a000 rw-p 00000000 00:00 0
7fffad5d3000-7fffad5f4000 rw-p 00000000 00:00 0 [stack]
7fffad5f8000-7fffad5fa000 r--p 00000000 00:00 0 [vvar]
7fffad5fa000-7fffad5fc000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

I look forward to hearing from you,

Alexis

Tags: patch
Revision history for this message
alexis (vandeneijnde) wrote :
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Alexis - Thanks for the bug report.

I can verify the issue that you have reported. After some research, I've determined it is very similar to but different than an older unzip -l crasher reported on oss-security:

  http://www.openwall.com/lists/oss-security/2014/11/03/5

Your PoC also happens to trigger that issue in unzip -l but they crash in different areas of the unzip codebase.

Since there are a number of similar unzip issues that never received CVEs or fixes from around 11-2014, I plan to make this issue public and forward the report to the oss-security list early Monday (I'd prefer to avoid reporting an issue at the end of the day on a Friday).

I'd like to credit you for the issue. Would you mind sharing your first and last name so that I can include it in my email report? Thanks again!

Changed in unzip (Ubuntu):
status: New → Triaged
Revision history for this message
alexis (vandeneijnde) wrote :

Hi Tyler,

Thanks for the quick response and research; My first and last name is Alexis Vanden Eijnde.

I look forward to any updates and/or CVE's ;-)

Best Regards,

Alexis

Tyler Hicks (tyhicks)
Changed in unzip (Ubuntu):
importance: Undecided → Low
information type: Private Security → Public Security
Revision history for this message
Tyler Hicks (tyhicks) wrote :
Revision history for this message
Josef Möllers (jmoellers) wrote :

May I humbly offer the attached patch?
As the methbuf is used for display only, I have made it large enough to hold 'u' + an unsigned short (5 digits) + the trailing NUL character.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "cve-2016-9844.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Josef Möllers (jmoellers) wrote :

I just found, that a different solution is already present in
http://antinode.info/ftp/info-zip/unzip60/zipinfo.c
Please ignore my drool.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-20ubuntu1.1

---------------
unzip (6.0-20ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in unzip (LP: #387350)
    - debian/patches/17-cve-2014-9913-unzip-buffer-overflow: Accommodate
      printing an oversized compression method number in list.c.
    - CVE-2014-9913
  * SECURITY UPDATE: buffer overflow in zipinfo (LP: #1643750)
    - debian/patches/18-cve-2016-9844-zipinfo-buffer-overflow: Accommodate an
      oversized compression method number in zipinfo.c.
    - CVE-2016-9844
  * SECURITY UPDATE: buffer overflow in password protected ZIP archives
    - debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch: Perform
      check before allocating memory in fileio.c.
    - CVE-2018-1000035
  * SECURITY UPDATE: denial of service (resource consumption)
    - debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug
      in undefer_input() of fileio.c that misplaced the input state.
    - debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch:
      Detect and reject a zip bomb using overlapped entries.
    - debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch:
      Do not raise a zip bomb alert for a misplaced central directory.
    - CVE-2019-13232

 -- Avital Ostromich <email address hidden> Wed, 25 Nov 2020 20:01:25 -0500

Changed in unzip (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.