libzip1: CVE-2012-1162 CVE-2012-1163 Incorrect loop construct and numeric overflow

Debian Bug report logs - #664990
libzip1: CVE-2012-1162 CVE-2012-1163 Incorrect loop construct and numeric overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: libzip1: CVE-2012-1162 CVE-2012-1163 Incorrect loop construct and numeric overflow

Date: Thu, 22 Mar 2012 07:57:48 +0200

Package: libzip1
Version: 0.9.3-1
Severity: important

Is Debian-packages affected?

http://seclists.org/oss-sec/2012/q1/710

"""
The following two issues in libzip have been handled via
distros () vs openwall org  Distros and the libzip developers were informed on
2012-03-12. An update of libzip has become available on 2012-03-20, the
appointed coordinated release date. The PHP and zipruby developers have been
informed before 2012-03-16, but have not released updates yet.

libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.

* CVE-2012-1162

    libzip (version <= 0.10) uses an incorrect loop construct, which can
    result in a heap overflow on corrupted zip files.
    
    On opening a zip file with zip_open, libzip reads in the number of
    directory entries in the function _zip_readcdir in zip_open.c:

    (192)    /* number of cdir-entries */
    (193)    nentry = _zip_read2(&cdp);

    Subsequently, memory for directory entries is allocated via
    _zip_cdir_new (in zip_dirent.c) based on the number of directory
    entries:

    (104)    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))

    If the number of directories in the zip file is set to 0, 0 bytes of
    memory are allocated.

    _zip_readcdir finishes with reading in the directory entries in
    a posttest do-while loop:

    (260)    do {
    (261)        if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
             ...
    (277)    } while (i<cd->nentry && left > 0);

    If cd->entry points to 0 bytes of allocated memory, _zip_dirent
    writes beyond the allocated memory.

* CVE-2012-1163

    libzip (version <= 0.10) has a numeric overflow condition, which,
    for example, results in improper restrictions of operations within
    the bounds of a memory buffer (e.g., allowing information leaks).

    On opening a zip file with zip_open, libzip reads in the size and the
    offset of the central directory structure in the function _zip_readcdir
    in zip_open.c:

    (198)    cd->size = _zip_read4(&cdp);
    (199)    cd->offset = _zip_read4(&cdp);

    libzip performs a consistency check on these values, but does not
    anticipate an integer overflow:

    (203)    if (cd->offset+cd->size > buf_offset + (eocd-buf)) {

    On an integer overflow, libzip continues to handle the zip file, which,
    for example, can result in improper restriction of operations within the
    bounds of a memory buffer.

Cheers, Timo
"""

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libzip1 depends on:
ii  libc6                   2.11.3-3         Embedded GNU C Library: Shared lib
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libzip1 recommends no packages.

libzip1 suggests no packages.

-- no debconf information

Message #14 received at 664990@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>

To: Debian Bug Tracking System <664990@bugs.debian.org>

Subject: Re: libzip1: CVE-2012-1162 CVE-2012-1163 Incorrect loop construct and numeric overflow

Date: Wed, 28 Mar 2012 15:33:37 -0400

[Message part 1 (text/plain, inline)]

Package: libzip
Version: 0.10-1
Followup-For: Bug #664990
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch



*** /tmp/tmpvDE7OS/bug_body
In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: arbitrary code execution or information leak via
    heap overflow and numeric overflow.
    - debian/patches/CVE-2012-116x.patch: fix overflow and loop in
      lib/zip_open.c.
    - CVE-2012-1162
    - CVE-2012-1163


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise-proposed'), (500, 'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-20-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[libzip_0.10-1ubuntu1.debdiff (text/x-diff, attachment)]

Message #19 received at 664990@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 664990@bugs.debian.org

Subject: More information

Date: Thu, 29 Mar 2012 10:03:47 +0300

More information from Timo Warns:

- Only libzip 0.10 is affected.
- Stefan Cornelius has identified the precise commits that introduced the vulnerabilities:
https://bugzilla.redhat.com/show_bug.cgi?id=802564
https://bugzilla.redhat.com/show_bug.cgi?id=803028
- As PHP and zipruby include older versions of libzip, they are not
affected by the issues.

Message #24 received at 664990-close@bugs.debian.org (full text, mbox, reply):

From: Fathi Boudra <fabo@debian.org>

To: 664990-close@bugs.debian.org

Subject: Bug#664990: fixed in libzip 0.10.1-1

Date: Mon, 21 May 2012 12:49:45 +0000

Source: libzip
Source-Version: 0.10.1-1

We believe that the bug you reported is fixed in the latest version of
libzip, which is due to be installed in the Debian FTP archive:

libzip-dev_0.10.1-1_amd64.deb
  to main/libz/libzip/libzip-dev_0.10.1-1_amd64.deb
libzip2_0.10.1-1_amd64.deb
  to main/libz/libzip/libzip2_0.10.1-1_amd64.deb
libzip_0.10.1-1.debian.tar.gz
  to main/libz/libzip/libzip_0.10.1-1.debian.tar.gz
libzip_0.10.1-1.dsc
  to main/libz/libzip/libzip_0.10.1-1.dsc
libzip_0.10.1.orig.tar.bz2
  to main/libz/libzip/libzip_0.10.1.orig.tar.bz2
zipcmp_0.10.1-1_amd64.deb
  to main/libz/libzip/zipcmp_0.10.1-1_amd64.deb
zipmerge_0.10.1-1_amd64.deb
  to main/libz/libzip/zipmerge_0.10.1-1_amd64.deb
ziptorrent_0.10.1-1_amd64.deb
  to main/libz/libzip/ziptorrent_0.10.1-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 664990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fathi Boudra <fabo@debian.org> (supplier of updated libzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 21 May 2012 15:16:11 +0300
Source: libzip
Binary: libzip-dev libzip2 zipcmp zipmerge ziptorrent
Architecture: source amd64
Version: 0.10.1-1
Distribution: unstable
Urgency: low
Maintainer: Fathi Boudra <fabo@debian.org>
Changed-By: Fathi Boudra <fabo@debian.org>
Description: 
 libzip-dev - library for reading, creating, and modifying zip archives (develo
 libzip2    - library for reading, creating, and modifying zip archives (runtim
 zipcmp     - compare contents of zip archives
 zipmerge   - merge zip archives
 ziptorrent - torrentzip zip archives
Closes: 664990 665957
Changes: 
 libzip (0.10.1-1) unstable; urgency=low
 .
   * New upstream release: fix CVE-2012-1162 and CVE-2012-1163
     Incorrect loop construct and numeric overflow. (Closes: #664990, #665957)
Checksums-Sha1: 
 bbace436b4506a70318a625c03a225e2d2b31361 1354 libzip_0.10.1-1.dsc
 04be811a1919e1063a1f5210671181b7b5416d45 610860 libzip_0.10.1.orig.tar.bz2
 0356b33157140aae4f7fc1d0fccbd50b3efff401 4558 libzip_0.10.1-1.debian.tar.gz
 5b1457cb18a81ea1619c4a8182513c586b45035a 111716 libzip-dev_0.10.1-1_amd64.deb
 dc322604e731da342b076dae23def35d5561aa5e 28802 libzip2_0.10.1-1_amd64.deb
 a17ce022a7bc001f53fa48718c21bcb08856595e 9192 zipcmp_0.10.1-1_amd64.deb
 8bd7199e3b0e07ba21913bd4dba34562fb031bd0 8928 zipmerge_0.10.1-1_amd64.deb
 212eaa944f1e5c5281f84c955f07e5d2f8118507 7832 ziptorrent_0.10.1-1_amd64.deb
Checksums-Sha256: 
 93fde0b7653cd2ffe66a497219c087e73d706b7b551c902ee94482c5670a0337 1354 libzip_0.10.1-1.dsc
 5b1eaf60968cb22df49d73bcaa759961fb27451917ac76b275374c2ed260ce92 610860 libzip_0.10.1.orig.tar.bz2
 5cb7cdd93888be383dcbc4459b3ed46832464375b2fcf79538689335732f3b50 4558 libzip_0.10.1-1.debian.tar.gz
 a759f51c798f84537a7f55c135a27e2b4acc01e60efa0f427bf2a643357abb45 111716 libzip-dev_0.10.1-1_amd64.deb
 86bfe6a3fe17e5b87274f883ae70748518d0ffc8cbbb939d4faf7893310d2578 28802 libzip2_0.10.1-1_amd64.deb
 c62d862920f14bf412f02c2f4c88f3294c3e756acb114b5487aaadf3f8ae0ede 9192 zipcmp_0.10.1-1_amd64.deb
 5fe066ddc5e138472f398f3b09a3cbb6afdefa27e905e744151c51e0763b2c53 8928 zipmerge_0.10.1-1_amd64.deb
 ef778f24cc94e89e23891439a082753f953215e3a86bc7b5862c62bff1064250 7832 ziptorrent_0.10.1-1_amd64.deb
Files: 
 b71ca996ac92dc4f4e661a470cf39cbf 1354 libs optional libzip_0.10.1-1.dsc
 d3e933ae049204badccf605f20aaecde 610860 libs optional libzip_0.10.1.orig.tar.bz2
 74e395ee621844c3d1f90bfda57ba62a 4558 libs optional libzip_0.10.1-1.debian.tar.gz
 e245d73c769d7829edc4b00e0594ac7a 111716 libdevel optional libzip-dev_0.10.1-1_amd64.deb
 5ec825e1eb41c52ace7992b822f5c23d 28802 libs optional libzip2_0.10.1-1_amd64.deb
 81aee515a47aff4da560009417b6a85f 9192 utils optional zipcmp_0.10.1-1_amd64.deb
 10fd26d026511f032bdf55cb5a094b8c 8928 utils optional zipmerge_0.10.1-1_amd64.deb
 0960edbb96887c96d71c8a34540037ff 7832 utils optional ziptorrent_0.10.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iJwEAQECAAYFAk+6NeMACgkQjPU19mqlcveJIgP+LnmvhRwFEvWFBht1F4bktW19
ma75uRl6XoSFI9+qkzfiaP740JwasfAVh6ArSS2Se3PCiKSzhChZCMeyLxaSPGo/
QE+bLViPpgHp3j+RohOdRKQpyzGocdt97hVyeKOQOyl0iR4IggDjMYy+OAInT83V
HHBampDnRMKjqlh7pKo=
=3IeE
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.