[unzip] [CVE-2008-0888] potential code execution

Bug #203461 reported by disabled.user on 2008-03-18
254
Affects Status Importance Assigned to Milestone
unzip (Fedora)
Fix Released
Medium
unzip (Gentoo Linux)
Fix Released
Medium
unzip (Mandriva)
Unknown
Unknown
unzip (Ubuntu)
Undecided
Kees Cook

Bug Description

Binary package hint: unzip

References:
DSA 1522-1 (http://www.debian.org/security/2008/dsa-1522)

Quoting:
"Tavis Ormandy discovered that unzip, when processing specially crafted
ZIP archives, could pass invalid pointers to the C library's free
routine, potentially leading to arbitrary code execution"

CVE References

Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to
free() memory block pointed to by uninitialized pointer or memory block, which
was already freed. This can cause unzip to crash (SEGV) during extraction of
malicious zip file, possibly allowing code execution.

Further details from Tavis:

  the inflate_dynamic() routine (~978, inflate.c) uses a macro
  NEEDBITS() that jumps execution to a cleanup routine on error, this
  routine attempts to free() two buffers allocated during the inflate
  process. At certain locations, the NEEDBITS() macro is used while the
  pointers are not pointing to valid buffers, they are either
  uninitialised or pointing inside a block that has already been free()d
  (ie, not pointing at the block, but at a location inside it).

Acknowledgements:

Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.

Created attachment 293893
Patch against 5.5.2 proposed by Tavis

This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not
allow a free on an invalid pointer.

Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client
application DoS, which is not considered a security issue. I've filed tracking
bug for rawhide, so that this issue is addressed in future Fedora and Red Hat
Enterprise Linux versions.

Kees Cook (kees) wrote :

Thanks for the report. This update will be published shortly.

Changed in unzip:
assignee: nobody → keescook
status: New → Fix Committed
Changed in unzip:
status: Unknown → In Progress
Kees Cook (kees) wrote :

Thanks, this was published as: http://www.ubuntu.com/usn/usn-589-1

Changed in unzip:
status: Fix Committed → Fix Released
Changed in unzip:
status: Unknown → Invalid
Changed in unzip:
status: In Progress → Fix Released
Changed in unzip:
status: Invalid → Unknown

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0196.html

Changed in unzip:
status: Unknown → Fix Released
Changed in unzip (Gentoo Linux):
importance: Unknown → Medium
Changed in unzip (Fedora):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.