Ubuntu
unzip package

Heap Buffer Overflow in UzpPassword

Bug #1824530 reported by Dikkie Dikker
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unzip (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic

unzip:
  Installed: 6.0-21ubuntu1
  Candidate: 6.0-21ubuntu1

The current version of unzip will crash with a heap overflow. I have attached crash.zip to reproduce the issue. Normal unpacking or testing the archive with -t argument is enough to trigger the bug. This is the only place that I have reported the issue to.

ASAN:
==13994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000490f at pc 0x7f6f788eb8f9 bp 0x7ffd1c67ec30 sp 0x7ffd1c67e3c0
WRITE of size 8210 at 0x62500000490f thread T0
    #0 0x7f6f788eb8f8 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)
    #1 0x7f6f788ebc86 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)
    #2 0x55b5a10ccc87 in UzpPassword fileio.c:1594
    #3 0x55b5a1097ddb in decrypt crypt.c:513
    #4 0x55b5a10b6f2e in extract_or_test_entrylist extract.c:1284
    #5 0x55b5a10b6f2e in extract_or_test_files extract.c:586
    #6 0x55b5a1101f24 in do_seekable process.c:987
    #7 0x55b5a1108e56 in process_zipfiles process.c:401
    #8 0x55b5a1093566 in unzip unzip.c:1278
    #9 0x7f6f7826db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x55b5a108afb9 in _start (/home/user/unzip-asan/unzip-6.0/unzip+0x17fb9)

0x62500000490f is located 0 bytes to the right of 8207-byte region [0x625000002900,0x62500000490f)
allocated by thread T0 here:
    #0 0x7f6f7892bb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55b5a10ccbfc in UzpPassword fileio.c:1593

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) in __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x0c4a7fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff88f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8920: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==13994==ABORTING

GDB:
*** buffer overflow detected ***: /home/user/unzip-dbg/unzip-6.0/unzip terminated

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff7814801 in __GI_abort () at abort.c:79
#2 0x00007ffff785d897 in __libc_message (action=action@entry=(do_abort | do_backtrace),
    fmt=fmt@entry=0x7ffff798a988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff7908cff in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true,
    msg=msg@entry=0x7ffff798a905 "buffer overflow detected") at fortify_fail.c:33
#4 0x00007ffff7908d21 in __GI___fortify_fail (msg=msg@entry=0x7ffff798a905 "buffer overflow detected")
    at fortify_fail.c:44
#5 0x00007ffff7906a10 in __GI___chk_fail () at chk_fail.c:28
#6 0x00007ffff7905f29 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
#7 0x00007ffff7862494 in __GI__IO_default_xsputn (f=0x7fffffffd8b0, data=<optimized out>, n=11)
    at genops.c:417
#8 0x00007ffff782f9aa in _IO_vfprintf_internal (s=s@entry=0x7fffffffd8b0,
    format=format@entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ", ap=ap@entry=0x7fffffffd9f0)
    at vfprintf.c:1674
#9 0x00007ffff7905fcb in ___vsprintf_chk (
    s=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=1, slen=8207, format=0x555555578b90 <PasswPrompt> "[%s] %s password: ",
    args=args@entry=0x7fffffffd9f0) at vsprintf_chk.c:82
#10 0x00007ffff7905efa in ___sprintf_chk (
    s=s@entry=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=flags@entry=1, slen=slen@entry=8207,
    format=format@entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ") at sprintf_chk.c:31
#11 0x0000555555562c95 in sprintf (__fmt=<synthetic pointer>,
    __s=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"...) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
#12 UzpPassword (pG=<optimized out>, rcnt=<optimized out>, pwbuf=0x555555890280 '\a' <repeats 88 times>, "! ",
    size=81, zfn=0x5555558715c0 <G+988384> "crash.zip",
    efn=0x555555870420 <G+983872> "dri", '\a' <repeats 197 times>...) at fileio.c:1594
---Type <return> to continue, or q <return> to quit---
#13 0x000055555555adf3 in decrypt (passwrd=<optimized out>) at crypt.c:513
#14 0x000055555555de54 in extract_or_test_entrylist (numchunk=numchunk@entry=1,
    pfilnum=pfilnum@entry=0x7fffffffdc58, pnum_bad_pwd=pnum_bad_pwd@entry=0x7fffffffdc60,
    pold_extra_bytes=pold_extra_bytes@entry=0x7fffffffdc68, pnum_dirs=pnum_dirs@entry=0x7fffffffdc54,
    pdirlist=pdirlist@entry=0x7fffffffdc70, error_in_archive=51) at extract.c:1284
#15 0x0000555555560488 in extract_or_test_files () at extract.c:586
#16 0x00005555555682b2 in do_seekable (lastchance=lastchance@entry=0) at process.c:987
#17 0x00005555555691f7 in process_zipfiles () at process.c:401
#18 0x000055555555a58e in unzip (argc=<optimized out>, argv=<optimized out>) at unzip.c:1278
#19 0x00007ffff77f5b97 in __libc_start_main (main=0x555555558190 <main>, argc=3, argv=0x7fffffffdf28,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf18)
    at ../csu/libc-start.c:310
#20 0x00005555555581da in _start ()

CVE References

Revision history for this message
Dikkie Dikker (dikkiedikker) wrote :
Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

Hi Dikkie,

Is this the same vulnerability as reported in CVE-2018-1000035? This CVE also reports a heap-buffer overflow in the UzpPassword function.

Please see https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html and https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html for more details.

Revision history for this message
Dikkie Dikker (dikkiedikker) wrote :

Heya Mike,

You are correct, it is the same bug as CVE-2018-1000035.

I have checked out the Debian unstable unzip with the patches from Suse, that fixes this issue.

Sorry for the trouble!

Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

It's no trouble at all. Thanks!

information type: Private Security → Public Security
Eduardo Barretto (ebarretto)
Changed in unzip (Ubuntu):
status: New → Confirmed
Revision history for this message
Dominik Viererbe (dviererbe) wrote :

The patch for this bug is present in the unzip package for focal, jammy, kinetic, lunar, mantic.
The patch for this bug is NOT present in the unzip package for trusty, xenial, bionic.

bionic reaches end of standard support this month, so we should set this to won't fix.

BUT

bionic is in extended security maintenance until April 2028
xenial is in extended security maintenance until April 2026
trusty is in extended security maintenance until April 2024

Because this is related to a CVE this should be covered by ESM.

Julian Andres Klode (juliank)
Changed in unzip (Ubuntu):
status: Confirmed → Won't Fix
status: Won't Fix → Fix Released
Revision history for this message
Dominik Viererbe (dviererbe) wrote :

I just looked in the wrong place (thanks ~juliank). The patch is also present in all supported Versions.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.