Ubuntu
zip package

Buffer overflow in zip

Bug #1660744 reported by Dios
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
zip (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Running zip in 16.10 or 16.04 with specific args leads to a buffer overflow

Run the following

zip --out

Any arguments in between can be added.

*** buffer overflow detected ***: zip terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f1d516b4725]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f1d5175589c]
/lib/x86_64-linux-gnu/libc.so.6(+0x1168a0)[0x7f1d517538a0]
/lib/x86_64-linux-gnu/libc.so.6(+0x115e09)[0x7f1d51752e09]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f1d516b85e0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x139b)[0x7f1d5168b4cb]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f1d51752e94]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f1d51752ded]
zip[0x413941]
zip[0x4194f3]
zip[0x40280a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f1d5165d830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 fd:01 689734 /usr/bin/zip
0062c000-0062d000 r--p 0002c000 fd:01 689734 /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 fd:01 689734 /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
00839000-0085a000 rw-p 00000000 00:00 0 [heap]
7f1d51107000-7f1d5111d000 r-xp 00000000 fd:01 914015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1d5111d000-7f1d5131c000 ---p 00016000 fd:01 914015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1d5131c000-7f1d5131d000 rw-p 00015000 fd:01 914015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1d5131d000-7f1d5163d000 r--p 00000000 fd:01 652956 /usr/lib/locale/locale-archive
7f1d5163d000-7f1d517fd000 r-xp 00000000 fd:01 913986 /lib/x86_64-linux-gnu/libc-2.23.so
7f1d517fd000-7f1d519fc000 ---p 001c0000 fd:01 913986 /lib/x86_64-linux-gnu/libc-2.23.so
7f1d519fc000-7f1d51a00000 r--p 001bf000 fd:01 913986 /lib/x86_64-linux-gnu/libc-2.23.so
7f1d51a00000-7f1d51a02000 rw-p 001c3000 fd:01 913986 /lib/x86_64-linux-gnu/libc-2.23.so
7f1d51a02000-7f1d51a06000 rw-p 00000000 00:00 0
7f1d51a06000-7f1d51a15000 r-xp 00000000 fd:01 913943 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f1d51a15000-7f1d51c14000 ---p 0000f000 fd:01 913943 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f1d51c14000-7f1d51c15000 r--p 0000e000 fd:01 913943 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f1d51c15000-7f1d51c16000 rw-p 0000f000 fd:01 913943 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f1d51c16000-7f1d51c3c000 r-xp 00000000 fd:01 913967 /lib/x86_64-linux-gnu/ld-2.23.so
7f1d51e30000-7f1d51e33000 rw-p 00000000 00:00 0
7f1d51e38000-7f1d51e3b000 rw-p 00000000 00:00 0
7f1d51e3b000-7f1d51e3c000 r--p 00025000 fd:01 913967 /lib/x86_64-linux-gnu/ld-2.23.so
7f1d51e3c000-7f1d51e3d000 rw-p 00026000 fd:01 913967 /lib/x86_64-linux-gnu/ld-2.23.so
7f1d51e3d000-7f1d51e3e000 rw-p 00000000 00:00 0
7ffc5acca000-7ffc5aceb000 rw-p 00000000 00:00 0 [stack]
7ffc5adb3000-7ffc5adb5000 r--p 00000000 00:00 0 [vvar]
7ffc5adb5000-7ffc5adb7000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

zip error: Interrupted (aborting)

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Attackers wouldn't typically have the ability to directly influence the command line arguments and, in this case, it doesn't seem to matter if they did since the crash happens early on in the argument parsing code. Please feel free to report any other bugs you may find.

I've confirmed this bug using zip 3.0-11 in Ubuntu 16.10.

affects: ubuntu → zip (Ubuntu)
Changed in zip (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.