Bugzilla – Bug 1024531
VUL-1: CVE-2017-5976: zziplib: heap-based buffer overflow in zzip_mem_entry_extra_block (memdisk.c)
Last modified: 2018-10-04 12:15:16 UTC
Ref: http://seclists.org/oss-sec/2017/q1/356 ============================================== Description: zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file. A fuzz on it discovered an heap overflow. The complete ASan output: # unzzipcat-mem $FILE ==7970==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000f2c8 at pc 0x7f59277fd153 bp 0x7fff136e1e30 sp 0x7fff136e1e28 READ of size 2 at 0x60300000f2c8 thread T0 #0 0x7f59277fd152 in zzip_mem_entry_extra_block /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:248:20 #1 0x7f59277fd152 in zzip_mem_entry_new /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:218 #2 0x7f59277fd152 in zzip_mem_disk_load /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137 #3 0x7f59277fb8b7 in zzip_mem_disk_open /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5 #4 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62- r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12 #5 0x7f592693b61f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:248:20 in zzip_mem_entry_extra_block Shadow bytes around the buggy address: 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9e50: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa 0x0c067fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7970==ABORTING Affected version: 0.13.62 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00152-zziplib-heapoverflow-zzip_mem_entry_extra_block Timeline: 2017-01-17: bug discovered and poked upstream 2017-02-09: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c -- Agostino Sarubbo Gentoo Linux Developer ============================================== https://software.opensuse.org/package/zziplib TW|42.(1|2): 0.13.62 A note about the multiple crashes in zziplib: http://seclists.org/oss-sec/2017/q1/365
The only codestream SUSE:SLE-12:Update is affected. The library seems to be only used for a texlive component: luatex -> luazip. As the reporter of these issues says in: http://seclists.org/oss-sec/2017/q1/365 the upstream project appears dead and there was no release for five years. QA reproducer: Using the PoC file from https://github.com/asarubbo/poc/blob/master/00152-zziplib-heapoverflow-zzip_mem_entry_extra_block I could reproduce the issue on Leap 42.2: - install zziplib-devel - run `valgrind unzzipcat-mem 00152-zziplib-heapoverflow-zzip_mem_entry_extra_block` - it will show an invalid read of size 2
bugbot adjusting priority
CVE-2017-5976 has been assigned: http://www.openwall.com/lists/oss-security/2017/02/14/3
request id 129777
SUSE-SU-2017:1095-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1024517,1024528,1024531,1024532,1024533,1024534,1024535,1024536,1024537,1024539 CVE References: CVE-2017-5974,CVE-2017-5975,CVE-2017-5976,CVE-2017-5977,CVE-2017-5978,CVE-2017-5979,CVE-2017-5980,CVE-2017-5981 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Desktop 12-SP2 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Desktop 12-SP1 (src): zziplib-0.13.62-9.1
openSUSE-SU-2017:1210-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1024517,1024528,1024531,1024532,1024533,1024534,1024535,1024536,1024537,1024539 CVE References: CVE-2017-5974,CVE-2017-5975,CVE-2017-5976,CVE-2017-5977,CVE-2017-5978,CVE-2017-5979,CVE-2017-5980,CVE-2017-5981 Sources used: openSUSE Leap 42.2 (src): zziplib-0.13.62-10.3.1 openSUSE Leap 42.1 (src): zziplib-0.13.62-10.1
released