Bug 1055377 - (CVE-2017-12858) VUL-0: CVE-2017-12858: libzip: Double free in _zip_dirent_read function in zip_dirent.c
(CVE-2017-12858)
VUL-0: CVE-2017-12858: libzip: Double free in _zip_dirent_read function in zi...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 42.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Petr Gajdos
E-mail List
https://smash.suse.de/issue/190929/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-23 20:24 UTC by Marcus Meissner
Modified: 2017-08-28 12:00 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
test000.zip (311 bytes, application/octet-stream)
2017-08-23 20:37 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-23 20:24:31 UTC
rh#1484514

Double free vulnerability in the _zip_dirent_read function in
zip_dirent.c in libzip allows attackers to have unspecified impact via
unknown vectors.

Upstream patch:

https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796
https://bugzilla.redhat.com/show_bug.cgi?id=1484514
Comment 1 Marcus Meissner 2017-08-23 20:25:47 UTC
mailed the reporter for the reproducer.
Comment 2 Marcus Meissner 2017-08-23 20:34:07 UTC
libzip 0.11.1 in SLE12 code looks different.
Comment 3 Marcus Meissner 2017-08-23 20:35:10 UTC
As requested, here is the original file given to the libzip maintainers.

https://github.com/geeknik/cve-fuzzing-poc/blob/master/test000.zip

And here is the 'heap use after free' reported by ASan for your reference:

./zipcmp test000.zip /dev/null

==19825==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000ece1 at pc 0x0000004fbbe9 bp 0x7ffd4ed8f250 sp 0x7ffd4ed8f248
READ of size 1 at 0x60300000ece1 thread T0
    #0 0x4fbbe8 in _zip_buffer_free /root/libzip/lib/zip_buffer.c:53:9
    #1 0x4ccdc5 in _zip_dirent_read /root/libzip/lib/zip_dirent.c:477:17
    #2 0x4dd766 in _zip_checkcons /root/libzip/lib/zip_open.c:469:6
    #3 0x4dc511 in _zip_find_central_dir /root/libzip/lib/zip_open.c:612:28
    #4 0x4dc511 in _zip_open /root/libzip/lib/zip_open.c:194
    #5 0x4da5d7 in zip_open_from_source /root/libzip/lib/zip_open.c:148:11
    #6 0x4d9a10 in zip_open /root/libzip/lib/zip_open.c:74:15
    #7 0x4bfa32 in list_zip /root/libzip/src/zipcmp.c:396:13
    #8 0x4bfa32 in compare_zip /root/libzip/src/zipcmp.c:225
    #9 0x4bfa32 in main /root/libzip/src/zipcmp.c:193
    #10 0x7fab6f292b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287
    #11 0x4bf29c in _start (/root/libzip/src/zipcmp+0x4bf29c)

0x60300000ece1 is located 1 bytes inside of 32-byte region [0x60300000ece0,0x60300000ed00)
freed by thread T0 here:
    #0 0x4a199b in free (/root/libzip/src/zipcmp+0x4a199b)
    #1 0x4fbbc0 in _zip_buffer_free /root/libzip/lib/zip_buffer.c:57:5
    #2 0x4dd766 in _zip_checkcons /root/libzip/lib/zip_open.c:469:6
    #3 0x4dc511 in _zip_find_central_dir /root/libzip/lib/zip_open.c:612:28
    #4 0x4dc511 in _zip_open /root/libzip/lib/zip_open.c:194
    #5 0x4da5d7 in zip_open_from_source /root/libzip/lib/zip_open.c:148:11
    #6 0x4d9a10 in zip_open /root/libzip/lib/zip_open.c:74:15
    #7 0x4bfa32 in list_zip /root/libzip/src/zipcmp.c:396:13
    #8 0x4bfa32 in compare_zip /root/libzip/src/zipcmp.c:225
    #9 0x4bfa32 in main /root/libzip/src/zipcmp.c:193
    #10 0x7fab6f292b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x4a1c1b in __interceptor_malloc (/root/libzip/src/zipcmp+0x4a1c1b)
    #1 0x4fd07b in _zip_buffer_new /root/libzip/lib/zip_buffer.c:168:35
    #2 0x4fd07b in _zip_buffer_new_from_source /root/libzip/lib/zip_buffer.c:190
    #3 0x514487 in _fini (/root/libzip/src/zipcmp+0x514487)

SUMMARY: AddressSanitizer: heap-use-after-free /root/libzip/lib/zip_buffer.c:53 _zip_buffer_free
Comment 4 Marcus Meissner 2017-08-23 20:37:00 UTC
Created attachment 738081 [details]
test000.zip

QA REPRODUCER:

ark test000.zip

should not crash.

(ark uses libzip on Factory)
Comment 5 Marcus Meissner 2017-08-23 20:38:15 UTC
Factory with 1.2.0 is affected, others are not.
Comment 6 Petr Gajdos 2017-08-28 10:32:51 UTC
zipcmp seem to exhibit the issue, too:

devel/libzip

$ zipcmp test000.zip /dev/null
*** Error in `zipcmp': free(): invalid pointer: 0x4545454545454545 ***
Aborted (core dumped)
$

42.2,42.3/libzip

$ zipcmp test000.zip /dev/null
zipcmp: cannot open zip archive `test000.zip': Zip archive inconsistent
$

11/libzip1:

$ zipcmp test000.zip /dev/null
--- test000.zip
+++ /dev/null
-  808464432 30303030 00000000
$

The best behaviour seem to have Leap's libzip, but given that libzip1 does not contain the code, considering it not affected.
Comment 7 Petr Gajdos 2017-08-28 10:36:50 UTC
After patching in Factory:

$ zipcmp test000.zip /dev/null
zipcmp: cannot open zip archive 'test000.zip': Zip archive inconsistent
$

I will submit the patch as I do not know when the next release of libzip happens.
Comment 8 Petr Gajdos 2017-08-28 10:40:25 UTC
Submitted to factory.
Comment 9 Bernhard Wiedemann 2017-08-28 12:00:48 UTC
This is an autogenerated message for OBS integration:
This bug (1055377) was mentioned in
https://build.opensuse.org/request/show/519094 Factory / libzip