zziplib: Multiple vulnerabilities

Debian Bug report logs - #854727
zziplib: Multiple vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Multiple vulnerabilities / unsuitable for stretch?

Date: Thu, 09 Feb 2017 23:31:22 +0100

Source: zziplib
Severity: grave
Tags: security

Hi,
multiple security issues have been found in zziplib by Agostino Sarubbo
of Gentoo:

http://www.openwall.com/lists/oss-security/2017/02/09/10
http://www.openwall.com/lists/oss-security/2017/02/09/11
http://www.openwall.com/lists/oss-security/2017/02/09/12
http://www.openwall.com/lists/oss-security/2017/02/09/13
http://www.openwall.com/lists/oss-security/2017/02/09/14
http://www.openwall.com/lists/oss-security/2017/02/09/15
http://www.openwall.com/lists/oss-security/2017/02/09/16
http://www.openwall.com/lists/oss-security/2017/02/09/17
http://www.openwall.com/lists/oss-security/2017/02/09/18
http://www.openwall.com/lists/oss-security/2017/02/09/19
http://www.openwall.com/lists/oss-security/2017/02/09/20

He points out that upstream seems dead:
http://www.openwall.com/lists/oss-security/2017/02/09/21

Aside from that, there's also older, unacknowleged bugs from the
Mayhem project in the BTS.

So unless you want to pick up upstream maintenace yourself, we should
rather remove zziplib from stretch.

Cheers,
        Moritz

Message #12 received at 854727@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 854727@bugs.debian.org

Subject: Removal from stretch?

Date: Sat, 25 Feb 2017 15:49:34 +0100

Removing zziplib from stretch seems like a bit of an effort:

$ apt-cache rdepends libzzip-0-13
libzzip-0-13
Reverse Depends:
  libzzip-dev
  zziplib-bin
  libacexml-6.3.3
  texlive-binaries
  swftools
  libogre-1.9.0v5
  mpd
  milkytracker
  lua-zip
  libgetdata7

Cheers,
-Hilko

Message #17 received at 854727@bugs.debian.org (full text, mbox, reply):

From: Andreas Henriksson <andreas@fatal.se>

To: Hilko Bengen <bengen@debian.org>

Cc: 854727@bugs.debian.org

Subject: Re: Removal from stretch?

Date: Mon, 20 Mar 2017 23:16:10 +0100

[Message part 1 (text/plain, inline)]

Hello,

(Attaching a simplified reverse depedency tree map in case anyone finds
it useful.)

I quickly looked over sources of the ones that seemed important enough
and in most of them it seems pretty trivial to build without zzip.
Not sure what effect this has on the usability of the software though.

On Sat, Feb 25, 2017 at 03:49:34PM +0100, Hilko Bengen wrote:
> Removing zziplib from stretch seems like a bit of an effort:
> 
> $ apt-cache rdepends libzzip-0-13
> libzzip-0-13
> Reverse Depends:
>   libzzip-dev
>   zziplib-bin

(Same source package. Drop.)

>   libacexml-6.3.3

libacexml-6.3.3: not investigated. No rdeps.

>   texlive-binaries

texlive-binaries: ???

>   swftools

swftools: not investigated. No rdeps.

>   libogre-1.9.0v5

libogre-1.9.0v5: Move from build-depends to build-conflicts and build-system adapts?!

>   mpd

mpd: zzip disabled by default, so just drop --enable-zzip from debian/rules

>   milkytracker

milkytracker: zzip *not* optional?! Has rdeps!

>   lua-zip

lua-zip: not investigated. No rdeps.

>   libgetdata7

libgetdata: configure --without-libzzip


Conclusion:
 - texlive-binaries and milkytracker needs further investigation.
 - no-rdep packages needs consideration if they're worth preserving.

Regards,
Andreas Henriksson

[zzip-rdeps.png (image/png, attachment)]

Message #22 received at 854727@bugs.debian.org (full text, mbox, reply):

From: Scott Howard <showard314@gmail.com>

To: Andreas Henriksson <andreas@fatal.se>, 854727@bugs.debian.org

Cc: Hilko Bengen <bengen@debian.org>

Subject: Re: Bug#854727: Removal from stretch?

Date: Fri, 24 Mar 2017 07:41:03 -0400

[Message part 1 (text/plain, inline)]

I was contacted by someone at SUSE that is working on fixing the security
bugs - but even if successful, I don't know how good the quality will be or
how much testing will be able to get done before stretch is released.
Removal might be safest option

[Message part 2 (text/html, inline)]

Message #35 received at 854727@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Scott Howard <showard314@gmail.com>

Cc: Andreas Henriksson <andreas@fatal.se>, 854727@bugs.debian.org, Hilko Bengen <bengen@debian.org>

Subject: Re: Bug#854727: Removal from stretch?

Date: Wed, 31 May 2017 22:55:32 +0200

[Message part 1 (text/plain, inline)]

On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote:
> I was contacted by someone at SUSE that is working on fixing the security
> bugs - but even if successful, I don't know how good the quality will be or
> how much testing will be able to get done before stretch is released.
> Removal might be safest option

Unfortunately removal didn't work our for stretch and will have to wait
for buster.

I'm attaching the patches used by SuSE to address these vulnerabilities
(extracted from their srpm).

Cheers,
        Moritz

[zziplib-CVE-2017-5974.patch (text/x-diff, attachment)]

[zziplib-CVE-2017-5975.patch (text/x-diff, attachment)]

[zziplib-CVE-2017-5976.patch (text/x-diff, attachment)]

[zziplib-CVE-2017-5978.patch (text/x-diff, attachment)]

[zziplib-CVE-2017-5979.patch (text/x-diff, attachment)]

[zziplib-CVE-2017-5981.patch (text/x-diff, attachment)]

[zziplib-unzipcat-NULL-name.patch (text/x-diff, attachment)]

Message #40 received at 854727@bugs.debian.org (full text, mbox, reply):

From: Josef Moellers <jmoellers@suse.de>

To: Moritz Muehlenhoff <jmm@debian.org>, 854727@bugs.debian.org, Scott Howard <showard314@gmail.com>

Cc: Andreas Henriksson <andreas@fatal.se>, Hilko Bengen <bengen@debian.org>

Subject: Re: Bug#854727: Removal from stretch?

Date: Thu, 1 Jun 2017 08:25:26 +0200

On 31.05.2017 22:55, Moritz Muehlenhoff wrote:
> On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote:
>> I was contacted by someone at SUSE that is working on fixing the security
>> bugs - but even if successful, I don't know how good the quality will be or
>> how much testing will be able to get done before stretch is released.
>> Removal might be safest option

That was probably me ;-)

The patches I prepared were just that: patches to fix the issues at
hand, e.g. check if a file offset is within range before fetching
something from that offset. They fix the issues of the CVEs and will
allow the zziplib to handle the corrupt archives attached to the CVEs.
Most likely there are other places where the code will happily use part
of an ASCII string as a file offset! In the end, the code might need to
be more strict, rejecting a file if it looks corrupt.

All in all, IMHO the code needs a thorough rework to properly check
values and offsets and, as said, reject corrupt archives. Although
zziplib is still quite high on my list of tasks, unfortunately at the
moment I do not have enough time to do this, so either someone else will
do it or I need to find some time for that, maybe next years hackweek.

> Unfortunately removal didn't work our for stretch and will have to wait
> for buster.
> 
> I'm attaching the patches used by SuSE to address these vulnerabilities
> (extracted from their srpm).
> 
> Cheers,
>         Moritz
> 

Josef

Message #45 received at 854727@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org>

To: 854727@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Splitting the zziplib vulnerabilities bug into two

Date: Thu, 1 Jun 2017 19:37:10 +0300

clone 854727 -1
retitile -1 zziplib: unsuitable for future stable releases?
tags -1 - security
retitle 854727 zziplib: Multiple vulnerabilities
tags 854727 - jessie-ignore stretch-ignore
thanks

Considering the way the discussion developed, I am splitting this bug to 
track two separate issues:
- the original #854727 to track the status of the CVE fixes in jessie
  and stretch
- a new bug to track the suggested removal in buster

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message #56 received at 854727@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Scott Howard <showard314@gmail.com>

Cc: Andreas Henriksson <andreas@fatal.se>, 854727@bugs.debian.org, Hilko Bengen <bengen@debian.org>

Subject: Re: Bug#854727: Removal from stretch?

Date: Sun, 4 Jun 2017 11:09:40 +0200

Moritz Muehlenhoff wrote:
> On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote:
> > I was contacted by someone at SUSE that is working on fixing the security
> > bugs - but even if successful, I don't know how good the quality will be or
> > how much testing will be able to get done before stretch is released.
> > Removal might be safest option
> 
> Unfortunately removal didn't work our for stretch and will have to wait
> for buster.

Since the stretch release is coming close and since Scott is on the LowNMU
list I've uploaded an NMU. CVE-2017-5980 isn't mentioned in the patch
names, but I've confirmed with the reproducers that it's fixed as well.

CVE-2017-5977 still needs to be checked, it might be fixed along with
zziplib-CVE-2017-5974.patch or zziplib-CVE-2017-5976.patch, but needs
further investigation. It's only a memory overread, so if it misses
the stretch release that's not a big deal.

Cheers,
        Moritz

Message #61 received at 854727-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: 854727-close@bugs.debian.org

Subject: Bug#854727: fixed in zziplib 0.13.62-3.1

Date: Sun, 04 Jun 2017 09:33:44 +0000

Source: zziplib
Source-Version: 0.13.62-3.1

We believe that the bug you reported is fixed in the latest version of
zziplib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854727@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated zziplib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Jun 2017 09:03:20 +0200
Source: zziplib
Binary: zziplib-bin libzzip-0-13 libzzip-dev
Architecture: source amd64
Version: 0.13.62-3.1
Distribution: unstable
Urgency: medium
Maintainer: Scott Howard <showard@debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
 libzzip-0-13 - library providing read access on ZIP-archives - library
 libzzip-dev - library providing read access on ZIP-archives - development
 zziplib-bin - library providing read access on ZIP-archives - binaries
Closes: 854727
Changes:
 zziplib (0.13.62-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix multiple security issues (Closes: #854727). Thanks to Josef
     Moellers of SuSE for the patches!
Checksums-Sha1:
 a737c57beee23a45b5008bfdabb7f6dbbf3415da 2036 zziplib_0.13.62-3.1.dsc
 2c811446637e6457dd8dc67321bf7d960adf1a8a 12996 zziplib_0.13.62-3.1.debian.tar.xz
 3b9cfadede8744b856b8e42a0c894b01a4889e40 5906 libzzip-0-13-dbgsym_0.13.62-3.1_amd64.deb
 dd76e12ca94cb5a3128a70f0a4f5633a317999a6 55352 libzzip-0-13_0.13.62-3.1_amd64.deb
 b4fd3dbdbf349449c3c8cd35a7a606fadc6647e0 111378 libzzip-dev_0.13.62-3.1_amd64.deb
 2def4d1a4baf4e4404d5281b65f607979b43e7ed 4316 zziplib-bin-dbgsym_0.13.62-3.1_amd64.deb
 dad4069fa23e2651d3eafd9076adedef40c3954c 41758 zziplib-bin_0.13.62-3.1_amd64.deb
 8c7fc21840db27ca3321a1235f22fc0aa788ace0 6924 zziplib_0.13.62-3.1_amd64.buildinfo
Checksums-Sha256:
 16c375f6811dbe6672acd6ad7f9a296901316353582fd972f5ee87dd9bea6a7b 2036 zziplib_0.13.62-3.1.dsc
 0d359f92a2f44d0f8f6ff3290fa3a4dd0446596e93251ab5f56b4db51e36bd66 12996 zziplib_0.13.62-3.1.debian.tar.xz
 d12404c92ac48be091907e2c925f029f3ab2774c9994b3c47bbe76435405f5b7 5906 libzzip-0-13-dbgsym_0.13.62-3.1_amd64.deb
 3b182f9468c0f6a2cc9ccaec61bf59e960eb958df4debf9058c8f2c459219105 55352 libzzip-0-13_0.13.62-3.1_amd64.deb
 c58653430daed1d88a595741bc86620e8c4c0176839812374849ac37f33ca1d9 111378 libzzip-dev_0.13.62-3.1_amd64.deb
 5901062e09eb5806f88482e38df810fe8b1ccca4932f0a1f5d78dfcf4a23f773 4316 zziplib-bin-dbgsym_0.13.62-3.1_amd64.deb
 c32c08a1077eea97c9ee111687068bea1fce698c31ade37feb170fcd314e1c38 41758 zziplib-bin_0.13.62-3.1_amd64.deb
 5337ab8639bdcf000a22396c80f9ec43e1c1605670d5ef6b9fc880a79a435e97 6924 zziplib_0.13.62-3.1_amd64.buildinfo
Files:
 a8b31034c79d92ef3a2702435d974d7a 2036 libs optional zziplib_0.13.62-3.1.dsc
 5f08520004e8e6e20aae23666083e542 12996 libs optional zziplib_0.13.62-3.1.debian.tar.xz
 7d57d2f5d309acc9da7a3543a5a71010 5906 debug extra libzzip-0-13-dbgsym_0.13.62-3.1_amd64.deb
 036fb6afb7891cdbf85831436be42406 55352 libs optional libzzip-0-13_0.13.62-3.1_amd64.deb
 c99ecd21cbe3a201e96390126341fe23 111378 libdevel optional libzzip-dev_0.13.62-3.1_amd64.deb
 dd63bdbf1d6bf6e93bead3099396f935 4316 debug extra zziplib-bin-dbgsym_0.13.62-3.1_amd64.deb
 7b9e37c80df90b8edebe1ae0196114c6 41758 utils optional zziplib-bin_0.13.62-3.1_amd64.deb
 73d9e93176ad3e46717ef277b2b1223e 6924 libs optional zziplib_0.13.62-3.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlkzzSwACgkQEMKTtsN8
TjY43w//ZMmF/cmGKhm4YN4ewLjlF5mR7YLm4/lA5RMQ4ukD9I3I5XiRTRIiYlwl
QNkoQlM5Hwcs4vyqIZy+YwJRTGiaMwe5gtOJiRwju0wWB+xbOpNdJ5SW9rnhtzCu
CHX9Pw3J8fUudzJD2mAcKvTXeynWnAsiGN+OHIHo7o3wgSte0N3I1i1/87TDHshR
XIq/h8K+c8pIXcCnXBnIwVvGtFvnBdIyVkrvuOlx9CLcWzCN9pJCS4AtoDmI3SEP
q4t7ibV+SsztDsD8pJur7VImKjq4rbaE4hvmVp6uLGISnLrUv1OxFMQlCEkX5aui
T16sZZMqAnQ1Zf8OhAxQ9+1MKN0+tpeyDPq65SWyUcNLUNSuQZetFK1sK3Empojn
eySAv+4SNJVCOGrONs6jYz9336x90EylEQ5fW5r14pmjUSSqdISevIpI9gZ+sYvM
mWDzGmHgxw75Jm9OpczZHTc6ewGqwY7snOjLwxBX9eOIRyl2hI/TVyVAJa1rFWvz
zaQdkvbq6Cn+Pln+YK1h0nh9VGu9NfAdsqk/qULGSJD25KNNE4aDS79H3gbRNd0T
YU+rcP6htB3/sORJHN3MlkLXKoncHKffYjnoWEyIsOPQbn6QBX/AqmVja2Yyp86d
s63nNTJoSl0MdjxPR31QCDg8cJdjb74pMkJN/oYX4U1vWkBM3Oo=
=Qwb6
-----END PGP SIGNATURE-----

Message #66 received at 854727@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 854727@bugs.debian.org

Cc: Scott Howard <showard314@gmail.com>, Andreas Henriksson <andreas@fatal.se>, Hilko Bengen <bengen@debian.org>

Subject: Re: Bug#854727: Removal from stretch?

Date: Sun, 4 Jun 2017 15:03:01 +0200

clone 854727 -1
retitle -1 zziplib: CVE-2017-5977
severity -1 important
thanks

hi

On Sun, Jun 04, 2017 at 11:09:40AM +0200, Moritz Muehlenhoff wrote:
> Moritz Muehlenhoff wrote:
> > On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote:
> > > I was contacted by someone at SUSE that is working on fixing the security
> > > bugs - but even if successful, I don't know how good the quality will be or
> > > how much testing will be able to get done before stretch is released.
> > > Removal might be safest option
> > 
> > Unfortunately removal didn't work our for stretch and will have to wait
> > for buster.
> 
> Since the stretch release is coming close and since Scott is on the LowNMU
> list I've uploaded an NMU. CVE-2017-5980 isn't mentioned in the patch
> names, but I've confirmed with the reproducers that it's fixed as well.
> 
> CVE-2017-5977 still needs to be checked, it might be fixed along with
> zziplib-CVE-2017-5974.patch or zziplib-CVE-2017-5976.patch, but needs
> further investigation. It's only a memory overread, so if it misses
> the stretch release that's not a big deal.

Cloning the bug to track possibile further update for CVE-2017-5977 in
the BTS, since 854727 closed with the upload.

Regards,
Salvatore

Send a report that this bug log contains spam.