unzip: CVE-2014-9913: buffer overflow in "unzip -l" via list_files() in list.c

Debian Bug report logs - #847485
unzip: CVE-2014-9913: buffer overflow in "unzip -l" via list_files() in list.c

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: unzip: CVE-2014-9913: buffer oveflowin "unzip -l" via list_files() in list.c

Date: Thu, 08 Dec 2016 17:32:38 +0100

Source: unzip
Version: 6.0-16
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for unzip.

CVE-2014-9913[0]:
Buffer overflow in "unzip -l" via list_files() in list.c

Reproducible with same PoZ.zip as generated in [1], but not the same issue.
Will fill  separate bug for that.

$ unzip -l PoZ.zip 
Archive:  PoZ.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
*** buffer overflow detected ***: unzip terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7efc039dabcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7efc03a630e7]
/lib/x86_64-linux-gnu/libc.so.6(+0xf7220)[0x7efc03a61220]
/lib/x86_64-linux-gnu/libc.so.6(+0xf67d9)[0x7efc03a607d9]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xac)[0x7efc039debec]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xcd3)[0x7efc039b19f3]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x8c)[0x7efc03a6086c]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7efc03a607bd]
unzip[0x40f2e3]
unzip[0x411004]
unzip[0x41172f]
unzip[0x403c61]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7efc0398a2b1]
unzip[0x401e39]
======= Memory map: ========
00400000-00426000 r-xp 00000000 fd:00 276486                             /usr/bin/unzip
00625000-00626000 r--p 00025000 fd:00 276486                             /usr/bin/unzip
00626000-00627000 rw-p 00026000 fd:00 276486                             /usr/bin/unzip
00627000-00719000 rw-p 00000000 00:00 0 
02362000-02383000 rw-p 00000000 00:00 0                                  [heap]
7efc03753000-7efc03769000 r-xp 00000000 fd:00 524295                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7efc03769000-7efc03968000 ---p 00016000 fd:00 524295                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7efc03968000-7efc03969000 r--p 00015000 fd:00 524295                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7efc03969000-7efc0396a000 rw-p 00016000 fd:00 524295                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7efc0396a000-7efc03aff000 r-xp 00000000 fd:00 531855                     /lib/x86_64-linux-gnu/libc-2.24.so
7efc03aff000-7efc03cfe000 ---p 00195000 fd:00 531855                     /lib/x86_64-linux-gnu/libc-2.24.so
7efc03cfe000-7efc03d02000 r--p 00194000 fd:00 531855                     /lib/x86_64-linux-gnu/libc-2.24.so
7efc03d02000-7efc03d04000 rw-p 00198000 fd:00 531855                     /lib/x86_64-linux-gnu/libc-2.24.so
7efc03d04000-7efc03d08000 rw-p 00000000 00:00 0 
7efc03d08000-7efc03d17000 r-xp 00000000 fd:00 524381                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7efc03d17000-7efc03f16000 ---p 0000f000 fd:00 524381                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7efc03f16000-7efc03f17000 r--p 0000e000 fd:00 524381                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7efc03f17000-7efc03f18000 rw-p 0000f000 fd:00 524381                     /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7efc03f18000-7efc03f3b000 r-xp 00000000 fd:00 531850                     /lib/x86_64-linux-gnu/ld-2.24.so
7efc03f8d000-7efc04128000 r--p 00000000 fd:00 264231                     /usr/lib/locale/locale-archive
7efc04128000-7efc0412a000 rw-p 00000000 00:00 0 
7efc04136000-7efc0413a000 rw-p 00000000 00:00 0 
7efc0413a000-7efc0413b000 r--p 00022000 fd:00 531850                     /lib/x86_64-linux-gnu/ld-2.24.so
7efc0413b000-7efc0413c000 rw-p 00023000 fd:00 531850                     /lib/x86_64-linux-gnu/ld-2.24.so
7efc0413c000-7efc0413d000 rw-p 00000000 00:00 0 
7ffc84a93000-7ffc84ab4000 rw-p 00000000 00:00 0                          [stack]
7ffc84ba5000-7ffc84ba7000 r--p 00000000 00:00 0                          [vvar]
7ffc84ba7000-7ffc84ba9000 r-xp 00000000 00:00 0                          [vdso]

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9913
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9913
[1] https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 847485@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Salvatore Bonaccorso <carnil@debian.org>, 847485@bugs.debian.org

Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#847485: unzip: CVE-2014-9913: buffer oveflowin "unzip -l" via list_files() in list.c

Date: Fri, 9 Dec 2016 17:39:46 +0100 (CET)

[Message part 1 (text/plain, inline)]

forwarded 847485 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
thanks

On Thu, 8 Dec 2016, Salvatore Bonaccorso wrote:

> Source: unzip
> Version: 6.0-16
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for unzip.
> 
> CVE-2014-9913[0]:
> Buffer overflow in "unzip -l" via list_files() in list.c

And this is where I'm in doubt.

I could do the same as in the other CVE, and it would result in a patch
like the first one I attach.

But the end result is a little big ugly to my taste and I would prefer
that Unknown compression methods are always expressed in hexadecimal,
no matter what, as in the second patch attached.

So I've asked the author about what he will do in the phpbb thread
at the top.

BTW: It took me a while to realize how the two CVE are different
indeed, even if "unzip -l" and "zipinfo" are "equivalent" and the
programs themselves are hardlinked. Hopefully by looking at the
patches it should be clear where the bugs are exactly.

Thanks a lot.

[cve-2014-9913-unzip-buffer-overflow.txt (text/plain, attachment)]

[cve-2014-9913-unzip-buffer-overflow-bis.txt (text/plain, attachment)]

Message #19 received at 847485-close@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@debian.org>

To: 847485-close@bugs.debian.org

Subject: Bug#847485: fixed in unzip 6.0-21

Date: Sun, 11 Dec 2016 21:08:12 +0000

Source: unzip
Source-Version: 6.0-21

We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 847485@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated unzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Dec 2016 21:03:30 +0100
Source: unzip
Binary: unzip
Architecture: source
Version: 6.0-21
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
 unzip      - De-archiver for .zip files
Closes: 836051 842993 847485 847486
Changes:
 unzip (6.0-21) unstable; urgency=medium
 .
   * Rename all debian/patches/* to have .patch ending.
   * Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
     patch "unzip-6.0_overflow3.diff" from mancha (patch author).
     Update also to follow upstream coding style.
   * Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
     in the hope that it's not present anymore in GCC-6.
   * Allow source to be cross-built. Closes: #836051.
   * Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
   * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
     Patch by the author.
   * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
     Patch by the author.
Checksums-Sha1:
 9fb43c2840bacd6325798459cacd140405d9d936 1344 unzip_6.0-21.dsc
 c7401c4282cbf39f4ad3a869400dcf8454a16f4b 17740 unzip_6.0-21.debian.tar.xz
Checksums-Sha256:
 c51fca0f9d8af19ead119addf4b56ea25443b64951b85eceb873f0ca76b378d4 1344 unzip_6.0-21.dsc
 8accd9d214630a366476437a3ec1842f2e057fdce16042a7b19ee569c33490a3 17740 unzip_6.0-21.debian.tar.xz
Files:
 df5279e9986e9c7b536733768162e550 1344 utils optional unzip_6.0-21.dsc
 25ffeb578788adf5b312a539733078f9 17740 utils optional unzip_6.0-21.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1Uw7+v+wQt44LaXXQc5/C58bizIFAlhNsVsACgkQQc5/C58b
izICoAgAqSDyRKhDMgzUa3XzCCexomp2bx2RuwfOFetuuY0issWsOyn/DtWwwAFp
WZb4lSRDZ992YuPi5nhvs+U5NYbGGrkGaNivUc/fgJELlYMIQ9w2sqksL1RFQ8Pz
PKCaOFArgTjDNM2pAMk8ZR/C0UkR1o+1VYsq5uWLgRmwnPOQgmGS1w5AjxRizsEy
VSfNZNZcZz+ksS34UPvkLFNgtU9rNhW4LlMs11FNm3zTQlvc75xws+Jqx8UHeiyV
yxBDJ3VnUG5MEPuR9SLafDKPJ1XkbqMknhGCWYDd6Zy6thzNOKUr1rCOWJyG/nT7
sy6aY5A7RuyoVIliTi8HnCmwHR58sQ==
=r2fY
-----END PGP SIGNATURE-----

Message #26 received at 847485@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Salvatore Bonaccorso <carnil@debian.org>, 847485@bugs.debian.org

Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#847485: unzip: CVE-2014-9913: buffer oveflowin "unzip -l" via list_files() in list.c

Date: Wed, 14 Dec 2016 21:41:57 +0100 (CET)

Hello Salvatore and security people.

The fixed package for this CVE (and the other "twin" CVE) is in its
way to unstable, but it will take 10 days.

If we need a shorter time, we (well, secure-testing-team I suppose)
can ask the release managers to reduce the time.

Will there be also a security upload for stable, or maybe I should try
an upload for jessie-proposed-updates in the same way we did for "tre"?
(which was low priority and did not deserve a DSA)

Thanks.

Message #31 received at 847485@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Santiago Vila <sanvila@unex.es>

Cc: 847485@bugs.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#847485: unzip: CVE-2014-9913: buffer oveflowin "unzip -l" via list_files() in list.c

Date: Wed, 14 Dec 2016 21:49:28 +0100

Hi Santiago

On Wed, Dec 14, 2016 at 09:41:57PM +0100, Santiago Vila wrote:
> Hello Salvatore and security people.
> 
> The fixed package for this CVE (and the other "twin" CVE) is in its
> way to unstable, but it will take 10 days.

First of all, thanks a lot for having worked on those issues and
fixing them!

> If we need a shorter time, we (well, secure-testing-team I suppose)
> can ask the release managers to reduce the time.

That's not needed IMHO for those fixes, they can migrate to testing
with the normal 10 days delay now.

> Will there be also a security upload for stable, or maybe I should try
> an upload for jessie-proposed-updates in the same way we did for "tre"?
> (which was low priority and did not deserve a DSA)

Yes exactly, actually no DSA is planned for those, so would be great
if you can schedule those as well via a jessie-pu upload.

Thanks again and regards,
Salvatore

Send a report that this bug log contains spam.