Bug 1024533 (CVE-2017-5978)

Summary: VUL-1: CVE-2017-5978: zziplib: out of bounds read in zzip_mem_entry_new (memdisk.c)
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: josef.moellers, matthias.gerstner, stefan.fent, werner, wilken_g
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:NVD:CVE-2017-5978:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2017-5978:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-5978:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2017-02-09 14:30:26 UTC
Ref: http://seclists.org/oss-sec/2017/q1/358
=============================================
Description:
zziplib is an intentionally lightweight library that offers the ability to 
easily extract data from files archived in a single zip file.

A fuzz on it discovered an out of bounds read.

The complete ASan output:

# unzzipcat-mem $FILE
==7934==ERROR: AddressSanitizer: unknown-crash on address 0x7f439a704000 at pc 
0x0000004bb815 bp 0x7fff911ebe30 sp 0x7fff911eb5e0
READ of size 59396 at 0x7f439a704000 thread T0
    #0 0x4bb814 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x7f439a3da299 in zzip_mem_entry_new /tmp/portage/dev-
libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:210:13
    #2 0x7f439a3da299 in zzip_mem_disk_load /tmp/portage/dev-
libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #3 0x7f439a3d98b7 in zzip_mem_disk_open /tmp/portage/dev-
libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #4 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-
r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #5 0x7f439951961f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not describe address in more detail (wild memory access 
suspected).
SUMMARY: AddressSanitizer: unknown-crash /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 
in __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe8f34d87b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe8f34d87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe8f34d8800:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe8f34d8850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7934==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00156-zziplib-oobread-zzip_mem_entry_new

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
=============================================

https://software.opensuse.org/package/zziplib

TW|42.(1|2): 0.13.62

A note about the multiple crashes in zziplib: http://seclists.org/oss-sec/2017/q1/365
Comment 1 Matthias Gerstner 2017-02-09 15:10:32 UTC
The only codestream SUSE:SLE-12:Update is affected.

The library seems to be only used for a texlive component: luatex -> luazip.

As the reporter of these issues says in:

  http://seclists.org/oss-sec/2017/q1/365

the upstream project appears dead and there was no release for five years.

QA reproducer:

Using the PoC file from

  https://github.com/asarubbo/poc/blob/master/00156-zziplib-oobread-zzip_mem_entry_new

I was able to reproduce the issue on Leap 42.2:

  - install zziplib-devel
  - run `unzzipcat 00156-zziplib-oobread-zzip_mem_entry_new`
  - it will segfault
Comment 2 Swamp Workflow Management 2017-02-09 23:01:12 UTC
bugbot adjusting priority
Comment 3 Matthias Gerstner 2017-02-14 10:02:28 UTC
CVE-2017-5978 has been assigned: http://www.openwall.com/lists/oss-security/2017/02/14/3
Comment 4 Josef Möllers 2017-03-23 09:35:03 UTC
request id 129777
Comment 5 Swamp Workflow Management 2017-04-24 13:09:24 UTC
SUSE-SU-2017:1095-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1024517,1024528,1024531,1024532,1024533,1024534,1024535,1024536,1024537,1024539
CVE References: CVE-2017-5974,CVE-2017-5975,CVE-2017-5976,CVE-2017-5977,CVE-2017-5978,CVE-2017-5979,CVE-2017-5980,CVE-2017-5981
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    zziplib-0.13.62-9.1
Comment 6 Swamp Workflow Management 2017-05-08 16:20:37 UTC
openSUSE-SU-2017:1210-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1024517,1024528,1024531,1024532,1024533,1024534,1024535,1024536,1024537,1024539
CVE References: CVE-2017-5974,CVE-2017-5975,CVE-2017-5976,CVE-2017-5977,CVE-2017-5978,CVE-2017-5979,CVE-2017-5980,CVE-2017-5981
Sources used:
openSUSE Leap 42.2 (src):    zziplib-0.13.62-10.3.1
openSUSE Leap 42.1 (src):    zziplib-0.13.62-10.1
Comment 7 Marcus Meissner 2017-07-04 14:29:26 UTC
released