Heap Buffer Overflow in UzpPassword
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
unzip (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic
unzip:
Installed: 6.0-21ubuntu1
Candidate: 6.0-21ubuntu1
The current version of unzip will crash with a heap overflow. I have attached crash.zip to reproduce the issue. Normal unpacking or testing the archive with -t argument is enough to trigger the bug. This is the only place that I have reported the issue to.
ASAN:
==13994==ERROR: AddressSanitizer: heap-buffer-
WRITE of size 8210 at 0x62500000490f thread T0
#0 0x7f6f788eb8f8 in __interceptor_
#1 0x7f6f788ebc86 in __interceptor_
#2 0x55b5a10ccc87 in UzpPassword fileio.c:1594
#3 0x55b5a1097ddb in decrypt crypt.c:513
#4 0x55b5a10b6f2e in extract_
#5 0x55b5a10b6f2e in extract_
#6 0x55b5a1101f24 in do_seekable process.c:987
#7 0x55b5a1108e56 in process_zipfiles process.c:401
#8 0x55b5a1093566 in unzip unzip.c:1278
#9 0x7f6f7826db96 in __libc_start_main (/lib/x86_
#10 0x55b5a108afb9 in _start (/home/
0x62500000490f is located 0 bytes to the right of 8207-byte region [0x625000002900
allocated by thread T0 here:
#0 0x7f6f7892bb50 in __interceptor_
#1 0x55b5a10ccbfc in UzpPassword fileio.c:1593
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x0c4a7fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff88f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8920: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13994==ABORTING
GDB:
*** buffer overflow detected ***: /home/user/
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/
51 ../sysdeps/
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/
#1 0x00007ffff7814801 in __GI_abort () at abort.c:79
#2 0x00007ffff785d897 in __libc_message (action=
fmt=
#3 0x00007ffff7908cff in __GI___
msg=
#4 0x00007ffff7908d21 in __GI___fortify_fail (msg=msg@
at fortify_fail.c:44
#5 0x00007ffff7906a10 in __GI___chk_fail () at chk_fail.c:28
#6 0x00007ffff7905f29 in _IO_str_
#7 0x00007ffff7862494 in __GI__IO_
at genops.c:417
#8 0x00007ffff782f9aa in _IO_vfprintf_
format=
at vfprintf.c:1674
#9 0x00007ffff7905fcb in ___vsprintf_chk (
s=0x5555558
args=
#10 0x00007ffff7905efa in ___sprintf_chk (
s=s@
format=
#11 0x0000555555562c95 in sprintf (__fmt=<synthetic pointer>,
__s=
#12 UzpPassword (pG=<optimized out>, rcnt=<optimized out>, pwbuf=0x5555558
size=81, zfn=0x5555558715c0 <G+988384> "crash.zip",
efn=
---Type <return> to continue, or q <return> to quit---
#13 0x000055555555adf3 in decrypt (passwrd=<optimized out>) at crypt.c:513
#14 0x000055555555de54 in extract_
pfilnum=
pold_
pdirlist=
#15 0x0000555555560488 in extract_
#16 0x00005555555682b2 in do_seekable (lastchance=
#17 0x00005555555691f7 in process_zipfiles () at process.c:401
#18 0x000055555555a58e in unzip (argc=<optimized out>, argv=<optimized out>) at unzip.c:1278
#19 0x00007ffff77f5b97 in __libc_start_main (main=0x5555555
init=<optimized out>, fini=<optimized out>, rtld_fini=
at ../csu/
#20 0x00005555555581da in _start ()
CVE References
Changed in unzip (Ubuntu): | |
status: | New → Confirmed |
Changed in unzip (Ubuntu): | |
status: | Confirmed → Won't Fix |
status: | Won't Fix → Fix Released |
Hi Dikkie,
Is this the same vulnerability as reported in CVE-2018-1000035? This CVE also reports a heap-buffer overflow in the UzpPassword function.
Please see https:/ /people. canonical. com/~ubuntu- security/ cve/2018/ CVE-2018- 1000035. html and https:/ /sec-consult. com/en/ blog/advisories /multiple- vulnerabilities -in-infozip- unzip/index. html for more details.