Running zip in 16.10 or 16.04 with specific args leads to a buffer overflow
Run the following
zip --out
Any arguments in between can be added.
*** buffer overflow detected ***: zip terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f1d516b4725]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f1d5175589c]
/lib/x86_64-linux-gnu/libc.so.6(+0x1168a0)[0x7f1d517538a0]
/lib/x86_64-linux-gnu/libc.so.6(+0x115e09)[0x7f1d51752e09]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f1d516b85e0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x139b)[0x7f1d5168b4cb]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f1d51752e94]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f1d51752ded]
zip[0x413941]
zip[0x4194f3]
zip[0x40280a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f1d5165d830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 fd:01 689734 /usr/bin/zip
0062c000-0062d000 r--p 0002c000 fd:01 689734 /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 fd:01 689734 /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
00839000-0085a000 rw-p 00000000 00:00 0 [heap]
7f1d51107000-7f1d5111d000 r-xp 00000000 fd:01 914015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1d5111d000-7f1d5131c000 ---p 00016000 fd:01 914015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1d5131c000-7f1d5131d000 rw-p 00015000 fd:01 914015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1d5131d000-7f1d5163d000 r--p 00000000 fd:01 652956 /usr/lib/locale/locale-archive
7f1d5163d000-7f1d517fd000 r-xp 00000000 fd:01 913986 /lib/x86_64-linux-gnu/libc-2.23.so
7f1d517fd000-7f1d519fc000 ---p 001c0000 fd:01 913986 /lib/x86_64-linux-gnu/libc-2.23.so
7f1d519fc000-7f1d51a00000 r--p 001bf000 fd:01 913986 /lib/x86_64-linux-gnu/libc-2.23.so
7f1d51a00000-7f1d51a02000 rw-p 001c3000 fd:01 913986 /lib/x86_64-linux-gnu/libc-2.23.so
7f1d51a02000-7f1d51a06000 rw-p 00000000 00:00 0
7f1d51a06000-7f1d51a15000 r-xp 00000000 fd:01 913943 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f1d51a15000-7f1d51c14000 ---p 0000f000 fd:01 913943 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f1d51c14000-7f1d51c15000 r--p 0000e000 fd:01 913943 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f1d51c15000-7f1d51c16000 rw-p 0000f000 fd:01 913943 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f1d51c16000-7f1d51c3c000 r-xp 00000000 fd:01 913967 /lib/x86_64-linux-gnu/ld-2.23.so
7f1d51e30000-7f1d51e33000 rw-p 00000000 00:00 0
7f1d51e38000-7f1d51e3b000 rw-p 00000000 00:00 0
7f1d51e3b000-7f1d51e3c000 r--p 00025000 fd:01 913967 /lib/x86_64-linux-gnu/ld-2.23.so
7f1d51e3c000-7f1d51e3d000 rw-p 00026000 fd:01 913967 /lib/x86_64-linux-gnu/ld-2.23.so
7f1d51e3d000-7f1d51e3e000 rw-p 00000000 00:00 0
7ffc5acca000-7ffc5aceb000 rw-p 00000000 00:00 0 [stack]
7ffc5adb3000-7ffc5adb5000 r--p 00000000 00:00 0 [vvar]
7ffc5adb5000-7ffc5adb7000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
zip error: Interrupted (aborting)
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Attackers wouldn't typically have the ability to directly influence the command line arguments and, in this case, it doesn't seem to matter if they did since the crash happens early on in the argument parsing code. Please feel free to report any other bugs you may find.
I've confirmed this bug using zip 3.0-11 in Ubuntu 16.10.