Debian Bug report logs -
#664990
libzip1: CVE-2012-1162 CVE-2012-1163 Incorrect loop construct and numeric overflow
Reported by: Henri Salo <henri@nerv.fi>
Date: Thu, 22 Mar 2012 06:00:01 UTC
Severity: grave
Merged with 665957
Found in versions libzip/0.9.3-1, 0.10-1
Fixed in version libzip/0.10.1-1
Done: Fathi Boudra <fabo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Information forwarded
to debian-bugs-dist@lists.debian.org, Fathi Boudra <fabo@debian.org>
:
Bug#664990
; Package libzip1
.
(Thu, 22 Mar 2012 06:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Fathi Boudra <fabo@debian.org>
.
(Thu, 22 Mar 2012 06:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libzip1
Version: 0.9.3-1
Severity: important
Is Debian-packages affected?
http://seclists.org/oss-sec/2012/q1/710
"""
The following two issues in libzip have been handled via
distros () vs openwall org Distros and the libzip developers were informed on
2012-03-12. An update of libzip has become available on 2012-03-20, the
appointed coordinated release date. The PHP and zipruby developers have been
informed before 2012-03-16, but have not released updates yet.
libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.
* CVE-2012-1162
libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files.
On opening a zip file with zip_open, libzip reads in the number of
directory entries in the function _zip_readcdir in zip_open.c:
(192) /* number of cdir-entries */
(193) nentry = _zip_read2(&cdp);
Subsequently, memory for directory entries is allocated via
_zip_cdir_new (in zip_dirent.c) based on the number of directory
entries:
(104) if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
If the number of directories in the zip file is set to 0, 0 bytes of
memory are allocated.
_zip_readcdir finishes with reading in the directory entries in
a posttest do-while loop:
(260) do {
(261) if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
...
(277) } while (i<cd->nentry && left > 0);
If cd->entry points to 0 bytes of allocated memory, _zip_dirent
writes beyond the allocated memory.
* CVE-2012-1163
libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks).
On opening a zip file with zip_open, libzip reads in the size and the
offset of the central directory structure in the function _zip_readcdir
in zip_open.c:
(198) cd->size = _zip_read4(&cdp);
(199) cd->offset = _zip_read4(&cdp);
libzip performs a consistency check on these values, but does not
anticipate an integer overflow:
(203) if (cd->offset+cd->size > buf_offset + (eocd-buf)) {
On an integer overflow, libzip continues to handle the zip file, which,
for example, can result in improper restriction of operations within the
bounds of a memory buffer.
Cheers, Timo
"""
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libzip1 depends on:
ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
libzip1 recommends no packages.
libzip1 suggests no packages.
-- no debconf information
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org
.
(Thu, 22 Mar 2012 15:39:13 GMT) (full text, mbox, link).
Merged 664990 665957
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Tue, 27 Mar 2012 11:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Fathi Boudra <fabo@debian.org>
:
Bug#664990
; Package libzip1
.
(Wed, 28 Mar 2012 19:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@ubuntu.com>
:
Extra info received and forwarded to list. Copy sent to Fathi Boudra <fabo@debian.org>
.
(Wed, 28 Mar 2012 19:36:04 GMT) (full text, mbox, link).
Message #14 received at 664990@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libzip
Version: 0.10-1
Followup-For: Bug #664990
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch
*** /tmp/tmpvDE7OS/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: arbitrary code execution or information leak via
heap overflow and numeric overflow.
- debian/patches/CVE-2012-116x.patch: fix overflow and loop in
lib/zip_open.c.
- CVE-2012-1162
- CVE-2012-1163
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise-proposed'), (500, 'precise')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-20-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[libzip_0.10-1ubuntu1.debdiff (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Fathi Boudra <fabo@debian.org>
:
Bug#664990
; Package libzip1
.
(Thu, 29 Mar 2012 07:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Fathi Boudra <fabo@debian.org>
.
(Thu, 29 Mar 2012 07:06:03 GMT) (full text, mbox, link).
Message #19 received at 664990@bugs.debian.org (full text, mbox, reply):
More information from Timo Warns:
- Only libzip 0.10 is affected.
- Stefan Cornelius has identified the precise commits that introduced the vulnerabilities:
https://bugzilla.redhat.com/show_bug.cgi?id=802564
https://bugzilla.redhat.com/show_bug.cgi?id=803028
- As PHP and zipruby include older versions of libzip, they are not
affected by the issues.
Reply sent
to Fathi Boudra <fabo@debian.org>
:
You have taken responsibility.
(Mon, 21 May 2012 12:51:35 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Mon, 21 May 2012 12:51:40 GMT) (full text, mbox, link).
Message #24 received at 664990-close@bugs.debian.org (full text, mbox, reply):
Source: libzip
Source-Version: 0.10.1-1
We believe that the bug you reported is fixed in the latest version of
libzip, which is due to be installed in the Debian FTP archive:
libzip-dev_0.10.1-1_amd64.deb
to main/libz/libzip/libzip-dev_0.10.1-1_amd64.deb
libzip2_0.10.1-1_amd64.deb
to main/libz/libzip/libzip2_0.10.1-1_amd64.deb
libzip_0.10.1-1.debian.tar.gz
to main/libz/libzip/libzip_0.10.1-1.debian.tar.gz
libzip_0.10.1-1.dsc
to main/libz/libzip/libzip_0.10.1-1.dsc
libzip_0.10.1.orig.tar.bz2
to main/libz/libzip/libzip_0.10.1.orig.tar.bz2
zipcmp_0.10.1-1_amd64.deb
to main/libz/libzip/zipcmp_0.10.1-1_amd64.deb
zipmerge_0.10.1-1_amd64.deb
to main/libz/libzip/zipmerge_0.10.1-1_amd64.deb
ziptorrent_0.10.1-1_amd64.deb
to main/libz/libzip/ziptorrent_0.10.1-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 664990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fathi Boudra <fabo@debian.org> (supplier of updated libzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 21 May 2012 15:16:11 +0300
Source: libzip
Binary: libzip-dev libzip2 zipcmp zipmerge ziptorrent
Architecture: source amd64
Version: 0.10.1-1
Distribution: unstable
Urgency: low
Maintainer: Fathi Boudra <fabo@debian.org>
Changed-By: Fathi Boudra <fabo@debian.org>
Description:
libzip-dev - library for reading, creating, and modifying zip archives (develo
libzip2 - library for reading, creating, and modifying zip archives (runtim
zipcmp - compare contents of zip archives
zipmerge - merge zip archives
ziptorrent - torrentzip zip archives
Closes: 664990 665957
Changes:
libzip (0.10.1-1) unstable; urgency=low
.
* New upstream release: fix CVE-2012-1162 and CVE-2012-1163
Incorrect loop construct and numeric overflow. (Closes: #664990, #665957)
Checksums-Sha1:
bbace436b4506a70318a625c03a225e2d2b31361 1354 libzip_0.10.1-1.dsc
04be811a1919e1063a1f5210671181b7b5416d45 610860 libzip_0.10.1.orig.tar.bz2
0356b33157140aae4f7fc1d0fccbd50b3efff401 4558 libzip_0.10.1-1.debian.tar.gz
5b1457cb18a81ea1619c4a8182513c586b45035a 111716 libzip-dev_0.10.1-1_amd64.deb
dc322604e731da342b076dae23def35d5561aa5e 28802 libzip2_0.10.1-1_amd64.deb
a17ce022a7bc001f53fa48718c21bcb08856595e 9192 zipcmp_0.10.1-1_amd64.deb
8bd7199e3b0e07ba21913bd4dba34562fb031bd0 8928 zipmerge_0.10.1-1_amd64.deb
212eaa944f1e5c5281f84c955f07e5d2f8118507 7832 ziptorrent_0.10.1-1_amd64.deb
Checksums-Sha256:
93fde0b7653cd2ffe66a497219c087e73d706b7b551c902ee94482c5670a0337 1354 libzip_0.10.1-1.dsc
5b1eaf60968cb22df49d73bcaa759961fb27451917ac76b275374c2ed260ce92 610860 libzip_0.10.1.orig.tar.bz2
5cb7cdd93888be383dcbc4459b3ed46832464375b2fcf79538689335732f3b50 4558 libzip_0.10.1-1.debian.tar.gz
a759f51c798f84537a7f55c135a27e2b4acc01e60efa0f427bf2a643357abb45 111716 libzip-dev_0.10.1-1_amd64.deb
86bfe6a3fe17e5b87274f883ae70748518d0ffc8cbbb939d4faf7893310d2578 28802 libzip2_0.10.1-1_amd64.deb
c62d862920f14bf412f02c2f4c88f3294c3e756acb114b5487aaadf3f8ae0ede 9192 zipcmp_0.10.1-1_amd64.deb
5fe066ddc5e138472f398f3b09a3cbb6afdefa27e905e744151c51e0763b2c53 8928 zipmerge_0.10.1-1_amd64.deb
ef778f24cc94e89e23891439a082753f953215e3a86bc7b5862c62bff1064250 7832 ziptorrent_0.10.1-1_amd64.deb
Files:
b71ca996ac92dc4f4e661a470cf39cbf 1354 libs optional libzip_0.10.1-1.dsc
d3e933ae049204badccf605f20aaecde 610860 libs optional libzip_0.10.1.orig.tar.bz2
74e395ee621844c3d1f90bfda57ba62a 4558 libs optional libzip_0.10.1-1.debian.tar.gz
e245d73c769d7829edc4b00e0594ac7a 111716 libdevel optional libzip-dev_0.10.1-1_amd64.deb
5ec825e1eb41c52ace7992b822f5c23d 28802 libs optional libzip2_0.10.1-1_amd64.deb
81aee515a47aff4da560009417b6a85f 9192 utils optional zipcmp_0.10.1-1_amd64.deb
10fd26d026511f032bdf55cb5a094b8c 8928 utils optional zipmerge_0.10.1-1_amd64.deb
0960edbb96887c96d71c8a34540037ff 7832 utils optional ziptorrent_0.10.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iJwEAQECAAYFAk+6NeMACgkQjPU19mqlcveJIgP+LnmvhRwFEvWFBht1F4bktW19
ma75uRl6XoSFI9+qkzfiaP740JwasfAVh6ArSS2Se3PCiKSzhChZCMeyLxaSPGo/
QE+bLViPpgHp3j+RohOdRKQpyzGocdt97hVyeKOQOyl0iR4IggDjMYy+OAInT83V
HHBampDnRMKjqlh7pKo=
=3IeE
-----END PGP SIGNATURE-----
Reply sent
to Fathi Boudra <fabo@debian.org>
:
You have taken responsibility.
(Mon, 21 May 2012 12:51:44 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Mon, 21 May 2012 12:51:48 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 05 May 2013 07:50:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:47:07 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.