Debian Bug report logs -
#349794
unzip: Info-ZIP UnZip File Name Buffer Overflow Vulnerability
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: unzip
Version: 5.52-1sarge3
Severity: grave
Tags: security
http://www.securityfocus.com/bid/15968
Thanks,
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_US.ISO-8859-1, LC_CTYPE=en_US.ISO-8859-1 (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US.ISO-8859-1)
Versions of packages unzip depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
-- no debconf information
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #10 received at 349794@bugs.debian.org (full text, mbox, reply):
On Wed, 25 Jan 2006, Stephen Gran wrote:
> Package: unzip
> Version: 5.52-1sarge3
> Severity: grave
> Tags: security
>
> http://www.securityfocus.com/bid/15968
Why "grave" and "security"? AFAIK, this is not the case where a
malicious user gives you a .zip archive and your system get
compromised if you try to unzip it.
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #15 received at 349794@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This one time, at band camp, Santiago Vila said:
> On Wed, 25 Jan 2006, Stephen Gran wrote:
>
> > Package: unzip
> > Version: 5.52-1sarge3
> > Severity: grave
> > Tags: security
> >
> > http://www.securityfocus.com/bid/15968
>
> Why "grave" and "security"? AFAIK, this is not the case where a
> malicious user gives you a .zip archive and your system get
> compromised if you try to unzip it.
Actually it appears this is exactly the case.
http://www.securityfocus.com/bid/15968/discuss:
"This issue allows attackers to execute arbitrary machine code in the
context of users utilizing the affected application."
Granted, most of the time this will only be a local user exploit, rather
than a root level exploit, but if an application uses info-zip routines
and runs as root, it will be root level exploit.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #20 received at 349794@bugs.debian.org (full text, mbox, reply):
On Wed, 25 Jan 2006, Stephen Gran wrote:
> This one time, at band camp, Santiago Vila said:
> > On Wed, 25 Jan 2006, Stephen Gran wrote:
> >
> > > Package: unzip
> > > Version: 5.52-1sarge3
> > > Severity: grave
> > > Tags: security
> > >
> > > http://www.securityfocus.com/bid/15968
> >
> > Why "grave" and "security"? AFAIK, this is not the case where a
> > malicious user gives you a .zip archive and your system get
> > compromised if you try to unzip it.
>
> Actually it appears this is exactly the case.
>
> http://www.securityfocus.com/bid/15968/discuss:
> "This issue allows attackers to execute arbitrary machine code in the
> context of users utilizing the affected application."
No, it's not that case.
This one is about an insanely long command line. Normally, you can't
run unzip with an arbitrary command line unless you already have local
user access.
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #25 received at 349794@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This one time, at band camp, Santiago Vila said:
> On Wed, 25 Jan 2006, Stephen Gran wrote:
>
> > This one time, at band camp, Santiago Vila said:
> > > On Wed, 25 Jan 2006, Stephen Gran wrote:
> > >
> > > > Package: unzip
> > > > Version: 5.52-1sarge3
> > > > Severity: grave
> > > > Tags: security
> > > >
> > > > http://www.securityfocus.com/bid/15968
> > >
> > > Why "grave" and "security"? AFAIK, this is not the case where a
> > > malicious user gives you a .zip archive and your system get
> > > compromised if you try to unzip it.
> >
> > Actually it appears this is exactly the case.
> >
> > http://www.securityfocus.com/bid/15968/discuss:
> > "This issue allows attackers to execute arbitrary machine code in the
> > context of users utilizing the affected application."
>
> No, it's not that case.
>
> This one is about an insanely long command line. Normally, you can't
> run unzip with an arbitrary command line unless you already have local
> user access.
I was under the impression that the filename was part of the command
line. So, I could send you an email with an insanely long filename zip
file attached and cause this overflow. If I'm wrong, and the filename
isn't part of this vulnerablity (even though the title of the report is
"UnZip File Name Buffer Overflow") then feel free to downgrade it.
I am not particularly interested in an argument about it, one way or the
other. If you feel that it's unlikely to be exploited, then handle it
as you see fit.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #30 received at 349794@bugs.debian.org (full text, mbox, reply):
forwarded 349794 http://www.info-zip.org/zip-bug.html
thanks
On Wed, 25 Jan 2006, Stephen Gran wrote:
> Package: unzip
> Version: 5.52-1sarge3
> Severity: grave
> Tags: security
>
> http://www.securityfocus.com/bid/15968
I have forwarded this to the authors (well, as a reminder, they already knew
about this. If I remember well, this would be fixed in 6.0d and 5.53d,
but those beta releases do not exist yet).
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #37 received at 349794@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 349794 patch
thanks
Hi!
I took a stab at this bug; granted, it's not the worst one in the
world, but it should be fixed eventually.
This is the patch I used for the Ubuntu security update:
http://patches.ubuntu.com/patches/unzip.CVE-2005-4667.diff
It works for version 5.52; 5.51 still crashes with that patch, I will
look into this as well.
Also, this has been assigned CVE-2005-4667, please mention this number
in the changelog when you fix this.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Tags added: patch
Request was from Martin Pitt <martin.pitt@ubuntu.com>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin@piware.de>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #44 received at 349794@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi again,
Martin Pitt [2006-02-10 20:45 +0100]:
> It works for version 5.52; 5.51 still crashes with that patch, I will
> look into this as well.
Ok, done: 5.51 does some unsafe strcpy()s in do_wild(), which are not
present any more in 5.52. Here is the 5.51 patch, maybe it is useful
for fixing woody (which has 5.50):
http://patches.ubuntu.com/patches/unzip-5.51.CVE-2005-4667.diff
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #49 received at 349794@bugs.debian.org (full text, mbox, reply):
On Fri, 10 Feb 2006, Martin Pitt wrote:
> Hi again,
>
> Martin Pitt [2006-02-10 20:45 +0100]:
> > It works for version 5.52; 5.51 still crashes with that patch, I will
> > look into this as well.
>
> Ok, done: 5.51 does some unsafe strcpy()s in do_wild(), which are not
> present any more in 5.52. Here is the 5.51 patch, maybe it is useful
> for fixing woody (which has 5.50):
>
> http://patches.ubuntu.com/patches/unzip-5.51.CVE-2005-4667.diff
Thanks a lot.
I have made a ping to the authors today, as they said this would be
fixed in a beta release which has not happened yet. If I don't get a
reply from then soon enough, I will use these patches, as this has
been open for too much time now.
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #54 received at 349794@bugs.debian.org (full text, mbox, reply):
On Fri, 10 Feb 2006, Martin Pitt wrote:
> I took a stab at this bug; granted, it's not the worst one in the
> world, but it should be fixed eventually.
>
> This is the patch I used for the Ubuntu security update:
>
> http://patches.ubuntu.com/patches/unzip.CVE-2005-4667.diff
>
> It works for version 5.52; [...]
Hi. I did this to test the patch:
./unzip `perl -e 'print "A" x 120000'`
and I got an error message, followed by some binary junk which
confuses the terminal to the point of needing a "reset".
This is a little bit suspicious. Are you sure the patch is ok?
Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip.
(full text, mbox, link).
Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>.
(full text, mbox, link).
Message #59 received at 349794@bugs.debian.org (full text, mbox, reply):
Well, after a bit of testing, I'm going to use this patch instead:
http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0117.html
which seems to work very well. The "right fix" will be in 5.53, I suppose,
but for now this is more than enough to close the hole.
[ Additionally, for 5.50, there are some strcpy in unix/unix.c which
have to be changed to strncpy, as you pointed out ].
Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stephen Gran <sgran@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #64 received at 349794-close@bugs.debian.org (full text, mbox, reply):
Source: unzip
Source-Version: 5.52-7
We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive:
unzip_5.52-7.diff.gz
to pool/main/u/unzip/unzip_5.52-7.diff.gz
unzip_5.52-7.dsc
to pool/main/u/unzip/unzip_5.52-7.dsc
unzip_5.52-7_powerpc.deb
to pool/main/u/unzip/unzip_5.52-7_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 349794@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated unzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 16 Mar 2006 10:31:20 +0100
Source: unzip
Binary: unzip
Architecture: source powerpc
Version: 5.52-7
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description:
unzip - De-archiver for .zip files
Closes: 349794
Changes:
unzip (5.52-7) unstable; urgency=medium
.
* Fixed buffer overflow when insanely long filenames are given on the
command line. Patch from Johnny Lee. Changed some format strings so
that they use 512 characters at most. The "right" fix will be in 5.53,
but this should work well enough for now. Closes: #349794.
* This is CVE-2005-4667.
Files:
40168d21a5f2ff55e13d205e788099da 519 utils optional unzip_5.52-7.dsc
a4108541e834e3d9e9b3d0b39f4325b1 10797 utils optional unzip_5.52-7.diff.gz
345a81de994ab7f7403920049a214978 162454 utils optional unzip_5.52-7_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEGTEYd9Uuvj7yPNYRAhWDAJ0bIBTuJVnttO6Ok0vfW1DdFDXcdgCgufCo
ll7tK2wsoAPDPwNWBDLsgqg=
=sisv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 05:55:22 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:47:44 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:51:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:57:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon