Buffer Overflow in ZipInfo

Bug #1643750 reported by alexis
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unzip (Ubuntu)
Fix Released

Bug Description


I am a security consultant and recently discovered this during some fuzzing exercises.

A buffer overflow occurs in zipinfo (part of the unzip package) when the compression method in the central directory file header is greater then 999;

user@lab:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

user@lab:~$ apt-cache policy unzip
  Installed: 6.0-20ubuntu1
  Candidate: 6.0-20ubuntu1
  Version table:
 *** 6.0-20ubuntu1 500
        500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

Here is an example output:

user@lab:~$ zipinfo PoC.zip
Archive: PoC.zip
Zip file size: 154 bytes, number of entries: 1
*** buffer overflow detected ***: zipinfo terminated
======= Backtrace: =========
======= Memory map: ========
00400000-00427000 r-xp 00000000 08:01 9176785 /usr/bin/zipinfo
00626000-00627000 r--p 00026000 08:01 9176785 /usr/bin/zipinfo
00627000-00628000 rw-p 00027000 08:01 9176785 /usr/bin/zipinfo
00628000-0071a000 rw-p 00000000 00:00 0
0207b000-0209c000 rw-p 00000000 00:00 0 [heap]
7f7feda5b000-7f7feda71000 r-xp 00000000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7feda71000-7f7fedc70000 ---p 00016000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7fedc70000-7f7fedc71000 rw-p 00015000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7fedc71000-7f7fedf49000 r--p 00000000 08:01 9176532 /usr/lib/locale/locale-archive
7f7fedf49000-7f7fee108000 r-xp 00000000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee108000-7f7fee308000 ---p 001bf000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee308000-7f7fee30c000 r--p 001bf000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee30c000-7f7fee30e000 rw-p 001c3000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee30e000-7f7fee312000 rw-p 00000000 00:00 0
7f7fee312000-7f7fee321000 r-xp 00000000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee321000-7f7fee520000 ---p 0000f000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee520000-7f7fee521000 r--p 0000e000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee521000-7f7fee522000 rw-p 0000f000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee522000-7f7fee548000 r-xp 00000000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee729000-7f7fee72c000 rw-p 00000000 00:00 0
7f7fee744000-7f7fee747000 rw-p 00000000 00:00 0
7f7fee747000-7f7fee748000 r--p 00025000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee748000-7f7fee749000 rw-p 00026000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee749000-7f7fee74a000 rw-p 00000000 00:00 0
7fffad5d3000-7fffad5f4000 rw-p 00000000 00:00 0 [stack]
7fffad5f8000-7fffad5fa000 r--p 00000000 00:00 0 [vvar]
7fffad5fa000-7fffad5fc000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

I look forward to hearing from you,


Tags: patch
Revision history for this message
alexis (vandeneijnde) wrote :
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Alexis - Thanks for the bug report.

I can verify the issue that you have reported. After some research, I've determined it is very similar to but different than an older unzip -l crasher reported on oss-security:


Your PoC also happens to trigger that issue in unzip -l but they crash in different areas of the unzip codebase.

Since there are a number of similar unzip issues that never received CVEs or fixes from around 11-2014, I plan to make this issue public and forward the report to the oss-security list early Monday (I'd prefer to avoid reporting an issue at the end of the day on a Friday).

I'd like to credit you for the issue. Would you mind sharing your first and last name so that I can include it in my email report? Thanks again!

Changed in unzip (Ubuntu):
status: New → Triaged
Revision history for this message
alexis (vandeneijnde) wrote :

Hi Tyler,

Thanks for the quick response and research; My first and last name is Alexis Vanden Eijnde.

I look forward to any updates and/or CVE's ;-)

Best Regards,


Tyler Hicks (tyhicks)
Changed in unzip (Ubuntu):
importance: Undecided → Low
information type: Private Security → Public Security
Revision history for this message
Tyler Hicks (tyhicks) wrote :
Revision history for this message
Josef Möllers (jmoellers) wrote :

May I humbly offer the attached patch?
As the methbuf is used for display only, I have made it large enough to hold 'u' + an unsigned short (5 digits) + the trailing NUL character.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "cve-2016-9844.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Josef Möllers (jmoellers) wrote :

I just found, that a different solution is already present in
Please ignore my drool.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unzip - 6.0-20ubuntu1.1

unzip (6.0-20ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in unzip (LP: #387350)
    - debian/patches/17-cve-2014-9913-unzip-buffer-overflow: Accommodate
      printing an oversized compression method number in list.c.
    - CVE-2014-9913
  * SECURITY UPDATE: buffer overflow in zipinfo (LP: #1643750)
    - debian/patches/18-cve-2016-9844-zipinfo-buffer-overflow: Accommodate an
      oversized compression method number in zipinfo.c.
    - CVE-2016-9844
  * SECURITY UPDATE: buffer overflow in password protected ZIP archives
    - debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch: Perform
      check before allocating memory in fileio.c.
    - CVE-2018-1000035
  * SECURITY UPDATE: denial of service (resource consumption)
    - debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug
      in undefer_input() of fileio.c that misplaced the input state.
    - debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch:
      Detect and reject a zip bomb using overlapped entries.
    - debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch:
      Do not raise a zip bomb alert for a misplaced central directory.
    - CVE-2019-13232

 -- Avital Ostromich <email address hidden> Wed, 25 Nov 2020 20:01:25 -0500

Changed in unzip (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers