Bugzilla – Bug 1055377
VUL-0: CVE-2017-12858: libzip: Double free in _zip_dirent_read function in zip_dirent.c
Last modified: 2017-08-28 12:00:48 UTC
rh#1484514 Double free vulnerability in the _zip_dirent_read function in zip_dirent.c in libzip allows attackers to have unspecified impact via unknown vectors. Upstream patch: https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796 https://bugzilla.redhat.com/show_bug.cgi?id=1484514
mailed the reporter for the reproducer.
libzip 0.11.1 in SLE12 code looks different.
As requested, here is the original file given to the libzip maintainers. https://github.com/geeknik/cve-fuzzing-poc/blob/master/test000.zip And here is the 'heap use after free' reported by ASan for your reference: ./zipcmp test000.zip /dev/null ==19825==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000ece1 at pc 0x0000004fbbe9 bp 0x7ffd4ed8f250 sp 0x7ffd4ed8f248 READ of size 1 at 0x60300000ece1 thread T0 #0 0x4fbbe8 in _zip_buffer_free /root/libzip/lib/zip_buffer.c:53:9 #1 0x4ccdc5 in _zip_dirent_read /root/libzip/lib/zip_dirent.c:477:17 #2 0x4dd766 in _zip_checkcons /root/libzip/lib/zip_open.c:469:6 #3 0x4dc511 in _zip_find_central_dir /root/libzip/lib/zip_open.c:612:28 #4 0x4dc511 in _zip_open /root/libzip/lib/zip_open.c:194 #5 0x4da5d7 in zip_open_from_source /root/libzip/lib/zip_open.c:148:11 #6 0x4d9a10 in zip_open /root/libzip/lib/zip_open.c:74:15 #7 0x4bfa32 in list_zip /root/libzip/src/zipcmp.c:396:13 #8 0x4bfa32 in compare_zip /root/libzip/src/zipcmp.c:225 #9 0x4bfa32 in main /root/libzip/src/zipcmp.c:193 #10 0x7fab6f292b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287 #11 0x4bf29c in _start (/root/libzip/src/zipcmp+0x4bf29c) 0x60300000ece1 is located 1 bytes inside of 32-byte region [0x60300000ece0,0x60300000ed00) freed by thread T0 here: #0 0x4a199b in free (/root/libzip/src/zipcmp+0x4a199b) #1 0x4fbbc0 in _zip_buffer_free /root/libzip/lib/zip_buffer.c:57:5 #2 0x4dd766 in _zip_checkcons /root/libzip/lib/zip_open.c:469:6 #3 0x4dc511 in _zip_find_central_dir /root/libzip/lib/zip_open.c:612:28 #4 0x4dc511 in _zip_open /root/libzip/lib/zip_open.c:194 #5 0x4da5d7 in zip_open_from_source /root/libzip/lib/zip_open.c:148:11 #6 0x4d9a10 in zip_open /root/libzip/lib/zip_open.c:74:15 #7 0x4bfa32 in list_zip /root/libzip/src/zipcmp.c:396:13 #8 0x4bfa32 in compare_zip /root/libzip/src/zipcmp.c:225 #9 0x4bfa32 in main /root/libzip/src/zipcmp.c:193 #10 0x7fab6f292b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287 previously allocated by thread T0 here: #0 0x4a1c1b in __interceptor_malloc (/root/libzip/src/zipcmp+0x4a1c1b) #1 0x4fd07b in _zip_buffer_new /root/libzip/lib/zip_buffer.c:168:35 #2 0x4fd07b in _zip_buffer_new_from_source /root/libzip/lib/zip_buffer.c:190 #3 0x514487 in _fini (/root/libzip/src/zipcmp+0x514487) SUMMARY: AddressSanitizer: heap-use-after-free /root/libzip/lib/zip_buffer.c:53 _zip_buffer_free
Created attachment 738081 [details] test000.zip QA REPRODUCER: ark test000.zip should not crash. (ark uses libzip on Factory)
Factory with 1.2.0 is affected, others are not.
zipcmp seem to exhibit the issue, too: devel/libzip $ zipcmp test000.zip /dev/null *** Error in `zipcmp': free(): invalid pointer: 0x4545454545454545 *** Aborted (core dumped) $ 42.2,42.3/libzip $ zipcmp test000.zip /dev/null zipcmp: cannot open zip archive `test000.zip': Zip archive inconsistent $ 11/libzip1: $ zipcmp test000.zip /dev/null --- test000.zip +++ /dev/null - 808464432 30303030 00000000 $ The best behaviour seem to have Leap's libzip, but given that libzip1 does not contain the code, considering it not affected.
After patching in Factory: $ zipcmp test000.zip /dev/null zipcmp: cannot open zip archive 'test000.zip': Zip archive inconsistent $ I will submit the patch as I do not know when the next release of libzip happens.
Submitted to factory.
This is an autogenerated message for OBS integration: This bug (1055377) was mentioned in https://build.opensuse.org/request/show/519094 Factory / libzip