558738 – Valgrind reports uninitialized reads in unzip

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 558738 - Valgrind reports uninitialized reads in unzip

Summary: Valgrind reports uninitialized reads in unzip

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	unzip
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Petr Stodulka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-01-26 09:29 UTC by D. Wagner
Modified:	2015-01-02 15:04 UTC (History)
CC List:	1 user (show)
Fixed In Version:	unzip-6.0-17.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-12-07 04:40:10 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Buggy zip file (2.28 KB, application/zip) 2010-01-26 09:29 UTC, D. Wagner	no flags	Details
Buggy zip file (2.28 KB, application/zip) 2010-01-26 09:29 UTC, D. Wagner	no flags	Details
Buggy zip file (2.28 KB, application/zip) 2010-01-26 09:30 UTC, D. Wagner	no flags	Details
Valgrind warnings for bug1.zip (8.16 KB, text/plain) 2010-01-26 09:30 UTC, D. Wagner	no flags	Details
Valgrind warnings for bug2.zip (7.58 KB, text/plain) 2010-01-26 09:31 UTC, D. Wagner	no flags	Details
Valgrind warnings for bug3.zip (8.05 KB, text/plain) 2010-01-26 09:31 UTC, D. Wagner	no flags	Details
patch (1.10 KB, patch) 2014-11-13 19:15 UTC, Petr Stodulka	no flags	Details \| Diff
View All

Description D. Wagner 2010-01-26 09:29:28 UTC

Created attachment 386782 [details]
Buggy zip file

Description of problem:

Running unzip on an invalid/corrupted .zip archive can trigger valgrind warnings about reading uninitialized values.  This may indicate a bug in 'unzip'.

Version-Release number of selected component (if applicable):

unzip-5.52-12.fc12.x86_64
valgrind-3.5.0-9.x86_64

How reproducible: 100%

Steps to Reproduce:
1. See attached file bug1.zip, bug2.zip, or bug3.zip
2. Run valgrind -q --leak-check=no unzip -o bug1.zip (or bug2.zip, or bug3.zip)
  
Actual results: Valgrind warnings -- see attached files

Expected results: No Valgrind warnings

Additional info:

I tried downloading the debuginfo for the unzip package, in hopes that this would lead to better Valgrind warning messages.  However it appears that on my system Valgrind is broken: once I installed the debuginfo packages, Valgrind started giving my assertion failure errors associated with readelf.c, so I had to delete the debuginfo packages.

Comment 1 D. Wagner 2010-01-26 09:29:56 UTC

Created attachment 386783 [details]
Buggy zip file

Comment 2 D. Wagner 2010-01-26 09:30:14 UTC

Created attachment 386784 [details]
Buggy zip file

Comment 3 D. Wagner 2010-01-26 09:30:44 UTC

Created attachment 386785 [details]
Valgrind warnings for bug1.zip

Comment 4 D. Wagner 2010-01-26 09:31:02 UTC

Created attachment 386786 [details]
Valgrind warnings for bug2.zip

Comment 5 D. Wagner 2010-01-26 09:31:18 UTC

Created attachment 386787 [details]
Valgrind warnings for bug3.zip

Comment 6 Karel Klíč 2010-02-28 12:16:41 UTC

Can you report your findings directly to the upstream, please?

http://www.info-zip.org/board/board.pl?b-unzipbugs/

This needs more work, as Valgrind warnings are often false positives. It would be great if you can discover actual flaws in the source code.

Comment 7 D. Wagner 2010-02-28 20:39:34 UTC

OK, I've reported this upstream.  Thanks for the suggestion.  Unfortunately I'm not able to diagnose this further, as I'm not familiar enough with the unzip source code; my apologies.

Comment 8 D. Wagner 2010-02-28 21:37:18 UTC

I have reported this upstream but it doesn't look like any action is likely; they say that unzip 5.52 (the latest version of unzip in Fedora 12) is about five years old.

Comment 9 Karel Klíč 2010-04-12 09:06:25 UTC

If no actual flaws in the source code are found, this cannot be fixed.

Please reopen this if you find a bug of the source code related to the Valgrind warnings.

Comment 10 D. Wagner 2010-04-12 16:11:44 UTC

The flaw in the source code is described in my bug report to upstream.  See here:

http://www.info-zip.org/board/board.pl?m-1267389382/
(scroll down to see the bug in the source code of do_string())

My upstream bug report does not appear to have led to any action from the upstream team, presumably because they are focused on unzip 6.0.

I see this bugzilla entry was closed as NOTABUG.  I'm reopening this, as in my view it is still a bug even if it will not be fixed.  I assume you'll close it as WONTFIX if it will be left unfixed.

Comment 11 Bug Zapper 2010-11-03 23:53:26 UTC

This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 12 Fedora Admin XMLRPC Client 2010-11-29 13:34:34 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 13 Vojtech Vitek 2011-01-03 18:19:23 UTC

Quote from upstream channel:
> Could be a potential bug. Probably should verify all the data was read.
> However, this is in theory being read from the middle of the file, so
> something regarding the file probably has to change in the middle
> of reading data, which probably is not likely for a static file sitting
> on the file system.  Added a note to the TODO list to check this.

Moving to rawhide, as this is still somehow valid in unzip 6.0. I agree with the upstream comment - this is an extreme case which most likely can't happen in normal use.

Assigning low priority and low severity.
I'll check the source code and upstream TODO list in next weeks.

Comment 14 D. Wagner 2011-01-03 20:26:32 UTC

Thanks, Vojtech.  I appreciate it.

(In reply to comment #13)
> I agree with the upstream comment - this is an extreme case which most likely
> can't happen in normal use.

Here's the kind of scenario I was concerned about.  A common use is to download a .zip file off the Internet (or save it from an attachment to an email) and unzip it using the "unzip" command.  If that .zip file comes from an attacker, it would presumably be possible for an attacker to maliciously construct the .zip file in a way that triggers this bug, and (speculation:) possibly in a way that causes some harmful side-effect, akin to a buffer overrun.

This is highly speculative.  On the one hand, I can't rule out the possibility of a security risk.  I have seen other cases where Valgrind warnings about use of uninitialized values indicated exploitable security vulnerabilities.  On the other hand, I have not constructed such an exploit, and I would not place a very high likelihood on the chances that this particular bug can be exploited in such a way.  My sense is that Valgrind warnings about uninitialized values indicate a security vulnerability only in a small fraction of cases (as a wild guess, 10-20%?).  That fraction seems high enough that it probably justifies fixing or investigating the bug, but not high enough for me to get overly worried at this point.

I don't think this changes your plan of action; I'm just sharing the reason why I reported it.

Comment 15 Fedora Admin XMLRPC Client 2012-05-07 09:32:51 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 16 Fedora End Of Life 2013-04-03 18:50:29 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 17 Fedora Admin XMLRPC Client 2014-09-30 12:54:04 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 18 Petr Stodulka 2014-11-13 19:15:57 UTC

Created attachment 957278 [details]
patch

This could be solution for valgrind warnings. But it seems that this dangerous bug. I will discuss this with upstream again - it seems that this bug has forgotten due to more important bugs.

Comment 19 Petr Stodulka 2014-11-20 12:28:49 UTC

Corr: It seems that this is not dangerous bug.

Patch was applied in upstream development version.

Comment 20 Fedora Update System 2014-11-27 15:50:21 UTC

unzip-6.0-17.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/unzip-6.0-17.fc21

Comment 21 Fedora Update System 2014-11-27 15:50:32 UTC

unzip-6.0-14.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/unzip-6.0-14.fc20

Comment 22 Fedora Update System 2014-11-27 15:51:45 UTC

unzip-6.0-13.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/unzip-6.0-13.fc19

Comment 23 Fedora Update System 2014-11-27 19:28:20 UTC

Package unzip-6.0-17.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing unzip-6.0-17.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15892/unzip-6.0-17.fc21
then log in and leave karma (feedback).

Comment 24 Fedora Update System 2014-12-07 04:40:10 UTC

unzip-6.0-14.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2014-12-17 04:41:17 UTC

unzip-6.0-17.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.