1191136 – unzip: buffer overflows on long compression factors and methods

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1191136 - unzip: buffer overflows on long compression factors and methods

Summary: unzip: buffer overflows on long compression factors and methods

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	unzip
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Stodulka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-02-10 14:25 UTC by Tomas Hoger
Modified:	2016-12-13 14:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:	unzip-6.0-17.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-16 03:25:37 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomas Hoger 2015-02-10 14:25:22 UTC

Description of problem:

Issue was reported upstream:

http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=432

Test case available at:

https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=12;filename=replication.jar;att=1;bug=741384

When using unzip -v or unzip -l on the archive, unzip aborts with FORTIFY_SOURCE detected overflow (hence crash only).

Upstream bug includes proposed fix.

Comment 1 Tomas Hoger 2015-02-10 20:43:41 UTC

Similar buffer overflow related to printing of compression method was reported in:

https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/387350

Affected code is:

  sprintf(&methbuf[4], "%03u", G.crec.compression_method);

Fixed in upcoming 6.1 using:

                /* 2013-02-26 SMS.
                 * http://sourceforge.net/tracker/?func=detail
                 *  &aid=2861648&group_id=118012&atid=679786
                 * Unexpectedly large compression methods overflow
                 * &methbuf[].  Use the old, three-digit decimal format
                 * for values which fit.  Otherwise, sacrifice the
                 * colon, and use four-digit hexadecimal.
                 */
                if (G.crec.compression_method <= 999) {
                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
                } else {
                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
                }

Mentioned SF.net bug may have further discussion:

http://sourceforge.net/tracker/?func=detail&aid=2861648&group_id=118012&atid=679786

SF.net is currently inaccessible.

Comment 2 Fedora Update System 2015-02-10 20:56:16 UTC

unzip-6.0-19.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/unzip-6.0-19.fc21

Comment 3 Fedora Update System 2015-02-10 20:56:29 UTC

unzip-6.0-16.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/unzip-6.0-16.fc20

Comment 4 Fedora Update System 2015-02-11 16:15:00 UTC

unzip-6.0-17.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/unzip-6.0-17.fc20

Comment 5 Fedora Update System 2015-02-11 16:15:13 UTC

unzip-6.0-20.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/unzip-6.0-20.fc21

Comment 6 Fedora Update System 2015-02-15 03:12:37 UTC

Package unzip-6.0-17.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing unzip-6.0-17.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1993/unzip-6.0-17.fc20
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2015-02-16 03:25:37 UTC

unzip-6.0-20.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-02-23 23:25:12 UTC

unzip-6.0-17.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Tomas Hoger 2015-02-27 10:46:53 UTC

(In reply to Tomas Hoger from comment #0)
> Issue was reported upstream:
> 
> http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=432

...

> Upstream bug includes proposed fix.

Just for posterity, the fix proposed in the above forum is to extended cfactorstr[] size from cfactorstr[10] to cfactorstr[12].  However, upstream unzip610c15 only extends it to cfactorstr[11], which is insufficient.

Comment 10 Tomas Hoger 2016-12-13 13:29:16 UTC

(In reply to Tomas Hoger from comment #0)
> Description of problem:
> 
> Issue was reported upstream:
> 
> http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=432

The originating Debian bug report is:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741384

(In reply to Tomas Hoger from comment #9)
> Just for posterity, the fix proposed in the above forum is to extended
> cfactorstr[] size from cfactorstr[10] to cfactorstr[12].  However, upstream
> unzip610c15 only extends it to cfactorstr[11], which is insufficient.

Upstream unzip610c16s uses cfactorstr[12].  Referenced beta versions are available here:

http://antinode.info/ftp/info-zip/

This problem was about insufficiently sized cfactorstr[] stack-based buffer, which could be overflown when large cfactor value is printed to it using:

sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);

where CompFactorStr format string is:

   static ZCONST char Far CompFactorStr[] = "%c%d%%";

Comment 12 Tomas Hoger 2016-12-13 13:56:01 UTC

(In reply to Tomas Hoger from comment #1)
> Similar buffer overflow related to printing of compression method was
> reported in:
> 
> https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/387350
> 
> Affected code is:
> 
>   sprintf(&methbuf[4], "%03u", G.crec.compression_method);

This issue now got CVE-2014-9913 assigned - see bug 1401865.  Additionally, similar flaw was found in zi_short() in zipinfo.c - see CVE-2016-9844 / bug 1401864.

> Mentioned SF.net bug may have further discussion:
> 
> http://sourceforge.net/tracker/?func=detail&aid=2861648&group_id=118012&atid=679786
> 
> SF.net is currently inaccessible.

A new link for the above upstream bug report is:

https://sourceforge.net/p/infozip/bugs/27/

Note You need to log in before you can comment on or make changes to this bug.