SIGSEGV during processing of unicode string

Bug #1957077 reported by Nils
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unzip (Ubuntu)
Undecided
Unassigned

Bug Description

SIGSEGV during processing of Unicode string

# Description
During extraction of the attached zip archive via
```
unzip $PWD/1ba59e08e410ce4bd897dd4ef3d0f59ca26b34f76de51d3b4382d72b8ae0d40d_SIGSEGV
```
a null pointer dereference is triggered and causes a SIGSEGV. The bug appears to be located in the code responsible for handling Unicode strings. This allows an attacker to perform a denial of service and possibly opens up other attack vectors.

For reproduction of the crash a script called ./reproduce.sh is provided alongside the crashing input. If you need further details, please do not hesitate to ask.

# apt-show unzip
Package: unzip
Version: 6.0-25ubuntu1
Priority: optional
Section: utils
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-Maintainer: Santiago Vila <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 593 kB
Depends: libbz2-1.0, libc6 (>= 2.14)
Suggests: zip
Homepage: http://www.info-zip.org/UnZip.html
Task: ubuntu-desktop-minimal, ubuntu-desktop, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop
Download-Size: 169 kB
APT-Manual-Installed: yes
APT-Sources: http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
Description: De-archiver for .zip files

# valgrind output
==17079== Conditional jump or move depends on uninitialised value(s)
==17079== at 0x430B0B: getZip64Data (process.c:1942)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Conditional jump or move depends on uninitialised value(s)
==17079== at 0x430B44: getZip64Data (process.c:1950)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Conditional jump or move depends on uninitialised value(s)
==17079== at 0x430ABF: getZip64Data (process.c:1937)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Use of uninitialised value of size 8
==17079== at 0x41BD82: makeword (fileio.c:2440)
==17079== by 0x430AF2: getZip64Data (process.c:1939)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Use of uninitialised value of size 8
==17079== at 0x41BD82: makeword (fileio.c:2440)
==17079== by 0x430AFD: getZip64Data (process.c:1940)
==17079== by 0x41E687: do_string (fileio.c:2314)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Uninitialised value was created by a heap allocation
==17079== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x41E603: do_string (fileio.c:2303)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079==
==17079== Invalid read of size 1
==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x4311C9: getUnicodeData (process.c:2072)
==17079== by 0x41F045: do_string (fileio.c:2330)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==17079==
==17079==
==17079== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==17079== Access not within mapped region at address 0x0
==17079== at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==17079== by 0x4311C9: getUnicodeData (process.c:2072)
==17079== by 0x41F045: do_string (fileio.c:2330)
==17079== by 0x40D390: extract_or_test_files (extract.c:658)
==17079== by 0x42F1FB: do_seekable (process.c:994)
==17079== by 0x42B4E5: process_zipfiles (process.c:401)
==17079== by 0x4033E2: unzip (unzip.c:1278)
==17079== by 0x48970B2: (below main) (libc-start.c:308)
==17079== If you believe this happened as a result of a stack
==17079== overflow in your program's main thread (unlikely but
==17079== possible), you can try to increase the size of the
==17079== main thread stack using the --main-stacksize= flag.
==17079== The main thread stack size used in this run was 8388608.
==17079==
==17079== HEAP SUMMARY:
==17079== in use at exit: 109,457 bytes in 6 blocks
==17079== total heap usage: 28 allocs, 22 frees, 118,125 bytes allocated
==17079==
==17079== LEAK SUMMARY:
==17079== definitely lost: 0 bytes in 0 blocks
==17079== indirectly lost: 0 bytes in 0 blocks
==17079== possibly lost: 0 bytes in 0 blocks
==17079== still reachable: 109,457 bytes in 6 blocks
==17079== suppressed: 0 bytes in 0 blocks
==17079== Rerun with --leak-check=full to see details of leaked memory
==17079==
==17079== For lists of detected and suppressed errors, rerun with: -s
==17079== ERROR SUMMARY: 39614 errors from 6 contexts (suppressed: 0 from 0)

Nils (nils-bars)
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks for reporting this issue - have you tried reporting this to the upstream developers at all? I am not sure if it is still maintained but historically issues in UnZip were wanted to be reported via http://infozip.sourceforge.net/zip-bug.html - if you have not already could you please try reporting this there? If you do get a response, please let us know as well. Thanks.

Revision history for this message
Nils (nils-bars) wrote :

Hello Alex,

since the last release on http://infozip.sourceforge.net is from 2009 and the unzip package in the Ubuntu repository is bundled with a bunch of more recent patches for different CVEs, I strongly believe the upstream project is abandoned. Nevertheless, I reported the bug via the URL you provided to me. I believe the person who created the different CVE patches should know the best how to proceed with this report?

Thanks!

description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks - it looks like previous issues have ended up just going to the oss-security mailing list:

https://www.openwall.com/lists/oss-security/2016/12/05/13
https://www.openwall.com/lists/oss-security/2015/09/07/4
https://www.openwall.com/lists/oss-security/2014/11/03/5
https://www.openwall.com/lists/oss-security/2014/11/02/2

Perhaps it is best to just make this public and request a CVE be assigned there - that way all distros etc can be notified and you can get appropriate credit etc?

Nils (nils-bars)
information type: Private Security → Public Security
Revision history for this message
Nils (nils-bars) wrote :

The attached attachment.zip file contains the bug triggering payload and a script to reproduce the bug via a prebuilt docker image.

Revision history for this message
wicked (dtwicked) wrote :

There is no patch for this issue?

Revision history for this message
Nils (nils-bars) wrote :

I attached a fix for the reported issue. However, since I am not familiar with unzip, someone should review it. Thanks!

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments