Bugzilla – Full Text Bug Listing |
Summary: | VUL-0: CVE-2017-14107: libzip: The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0mishandles EOCD records, which allows remote attackers to cause adenial of service (memory allocation failure in _zip_cdir_grow inzip_dirent | ||
---|---|---|---|
Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
Component: | Incidents | Assignee: | Petr Gajdos <pgajdos> |
Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
Severity: | Normal | ||
Priority: | P3 - Medium | CC: | astieger, smash_bz |
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Other | ||
URL: | https://smash.suse.de/issue/191388/ | ||
Whiteboard: | CVSSv3:SUSE:CVE-2017-14107:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSSv2:SUSE:CVE-2017-14107:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-14107:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2017-14107:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) | ||
Found By: | Security Response Team | Services Priority: | |
Business Priority: | Blocker: | --- | |
Marketing QA Status: | --- | IT Deployment: | --- |
Attachments: | 00330-libzip-memallocfailure-_zip_cdir_grow |
Description
Marcus Meissner
2017-09-04 06:37:43 UTC
Created attachment 739256 [details]
00330-libzip-memallocfailure-_zip_cdir_grow
QA REPRODUCER:
install libzip-tools
ziptool 00330-libzip-memallocfailure-_zip_cdir_grow cat index
1.3.0 is not buildable trough failing testsuite. Author notified. (In reply to Marcus Meissner from comment #1) > ziptool 00330-libzip-memallocfailure-_zip_cdir_grow cat index Unfortunately ziptool is quite new thing, new enough to not be included in sle12. There's also not a libzip-tools package, binaries (zipcmp, zipmerge and ziptorrent) are included in main package. However, I am not able to reproduce anything (nor valgrind errors) with them: $ zipcmp -t 00330-libzip-memallocfailure-_zip_cdir_grow 00330-libzip-memallocfailure-_zip_cdir_grow zipcmp: cannot open zip archive `00330-libzip-memallocfailure-_zip_cdir_grow': Not a zip archive $ $ zipmerge 00330-libzip-memallocfailure-_zip_cdir_grow 00330-libzip-memallocfailure-_zip_cdir_grow zipmerge: cannot open zip archive `00330-libzip-memallocfailure-_zip_cdir_grow': Not a zip archive $ When patching 12/libzip, the libzip is so secure that refuses two zip archives from testsuite: [ 16s] FAIL: extra_count_ignore_zip64 [ 16s] ============================== [ 16s] [ 16s] extra_count_ignore_zip64: [ 16s] running: ../modify bigzero.zip count_extra 0 l count_extra 0 c count_extra 0 lc [ 16s] extra_count_ignore_zip64 -- FAILED: zip file bigzero.zip wrong [ 16s] [ 16s] FAIL: open_many_ok [ 16s] ================== [ 16s] [ 16s] open_many_ok: [ 16s] running: ../tryopen manyfiles.zip [ 16s] open_many_ok -- FAILED: zip file manyfiles.zip wrong 1.3.0 testsuite fails with: [ 52s] FAIL: set_compression_deflate_to_store [ 52s] ====================================== [ 52s] [ 52s] Unexpected exit status: [ 52s] -0 [ 52s] +1 [ 52s] Unexpected error output: [ 52s] --- expected [ 52s] +++ got [ 52s] +can't close zip archive 'test.zip': Internal error [ 52s] --- ../teststored.zip [ 52s] +++ test.zip [ 52s] --- abac-repeat.txt method 0 [ 52s] +++ abac-repeat.txt method 8 [ 52s] set_compression_deflate_to_store -- FAIL: exit status, error output, files [ 52s] FAIL set_compression_deflate_to_store.test (exit status: 1) It seems, this does not relate to 12/libzip testsuite failure. For 12/libzip: the reason is: libzip-0.11.1/src/.libs/zipcmp: cannot open zip archive `../bigzero.zip': Zip archive inconsistent bigzero-zip.zip in 0.11.1 and 1.3.0 is different (https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5) but updating it in 0.11.1 does not make the testsuite result better. Failing command is: $ zipcmp -q -p -t bigzero.zip bigzero.zip zipcmp: cannot open zip archive `bigzero.zip': Zip archive inconsistent $ The reason, why bigzero.zip is rejected is: - if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) { + if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) { (gdb) p offset+size $7 = 4168331 (gdb) p buf_offset + eocd_offset $8 = 8271182 (gdb) p buf_offset $9 = 4102851 (gdb) p eocd_offset $10 = 4168331 interestingly, offset+size == eocd_offset, so the condition is not met before and is met after. I believe the change for 12/libzip is correct despite two failing tests. There are many files in regress/ subdirectory (incons*), which are now failing zip_cmp with 'Zip archive inconsistent'. zip_cmp have not checked the inconsistency properly and would not also for regress/incons* files. I guess bigzero.zip and manyfiles.zip are just also now tagged as inconsistent, which fails zip_cmp and this fails the tests and testsuite in turn. I will disable these tests. 12/libzip submitted. Tumbleweed/libzip: Fails in add_data(), zip_close.c: 461 if ((ret=_zip_dirent_write(za, de, flags)) < 0) (gdb) 464 if (is_zip64 != ret) { (gdb) 466 zip_error_set(&za->error, ZIP_ER_INTERNAL, 0); (gdb) p is_zip64 $10 = 1 (gdb) p ret $11 = 0 That means following comment apply: /* Zip64 mismatch between preliminary file header written before data and final file header written afterwards */ Upstream notified, I will disable the test for now. Packages submitted. . This is an autogenerated message for OBS integration: This bug (1056996) was mentioned in https://build.opensuse.org/request/show/521697 Factory / libzip This is an autogenerated message for OBS integration: This bug (1056996) was mentioned in https://build.opensuse.org/request/show/521703 Factory / libzip Assigning for 32 bit test failures. SUSE-SU-2017:2546-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1056996 CVE References: CVE-2017-14107 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libzip-0.11.1-13.3.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libzip-0.11.1-13.3.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libzip-0.11.1-13.3.1 SUSE Linux Enterprise Server 12-SP3 (src): libzip-0.11.1-13.3.1 SUSE Linux Enterprise Server 12-SP2 (src): libzip-0.11.1-13.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libzip-0.11.1-13.3.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libzip-0.11.1-13.3.1 openSUSE-SU-2017:2550-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1056996 CVE References: CVE-2017-14107 Sources used: openSUSE Leap 42.3 (src): libzip-0.11.1-9.1 openSUSE Leap 42.2 (src): libzip-0.11.1-6.3.1 (In reply to Andreas Stieger from comment #18) > Assigning for 32 bit test failures. This bug seem to be fixed, though. This is an autogenerated message for OBS integration: This bug (1056996) was mentioned in https://build.opensuse.org/request/show/528196 Factory / libzip |