Bugzilla – Bug 1024517
VUL-1: CVE-2017-5974: zziplib: heap-based buffer overflow in __zzip_get32 (fetch.c)
Last modified: 2018-10-04 12:15:05 UTC
Ref: http://seclists.org/oss-sec/2017/q1/354 ============================================== Description: zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file. A fuzz on it discovered an heap overflow. The complete ASan output: # unzzipcat-mem $FILE ==7574==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ef9f at pc 0x7f98d2d1d3bf bp 0x7fff57e59e20 sp 0x7fff57e59e18 READ of size 1 at 0x60300000ef9f thread T0 #0 0x7f98d2d1d3be in __zzip_get32 /tmp/portage/dev-libs/zziplib-0.13.62- r1/work/zziplib-0.13.62/zzip/fetch.c:32:24 #1 0x7f98d2d1a9d9 in zzip_mem_entry_new /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:224:34 #2 0x7f98d2d1a9d9 in zzip_mem_disk_load /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137 #3 0x7f98d2d198b7 in zzip_mem_disk_open /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5 #4 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62- r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12 #5 0x7f98d1e5961f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748) 0x60300000ef9f is located 1 bytes to the right of 30-byte region [0x60300000ef80,0x60300000ef9e) allocated by thread T0 here: #0 0x4d2508 in malloc /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x7f98d2d1a260 in zzip_mem_entry_new /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:208:25 #2 0x7f98d2d1a260 in zzip_mem_disk_load /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137 #3 0x7f98d2d198b7 in zzip_mem_disk_open /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5 #4 0x7f98d1e5961f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev- libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fetch.c:32:24 in __zzip_get32 Shadow bytes around the buggy address: 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9df0: 00 00 00[06]fa fa 00 00 00 02 fa fa 00 00 00 fa 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7574==ABORTING Affected version: 0.13.62 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00150-zziplib-heapoverflow-__zzip_get32 Timeline: 2017-01-17: bug discovered and poked upstream 2017-02-09: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c -- Agostino Sarubbo Gentoo Linux Developer ============================================== https://software.opensuse.org/package/zziplib TW|42.(1|2): 0.13.62
A note about the multiple crashes in zziplib: http://seclists.org/oss-sec/2017/q1/365
The only codestream SUSE:SLE-12:Update is affected. The library seems to be only used for a texlive component: luatex -> luazip. As the reporter of these issues says in: http://seclists.org/oss-sec/2017/q1/365 the upstream project appears dead and there was no release for five years. QA reproducer: Using the PoC file from https://github.com/asarubbo/poc/blob/master/00150-zziplib-heapoverflow-__zzip_get32 I could reproduce the issue on Leap 42.2: - install zziplib-devel - run `valgrind unzzipcat-mem 00150-zziplib-heapoverflow-__zzip_get32` - it will show multiple invalid reads of size 1
bugbot adjusting priority
CVE-2017-5974 has been assigned: http://www.openwall.com/lists/oss-security/2017/02/14/3
osc -A https://api.suse.de maintainer zziplib --email --bugowner Defined in package: SUSE:SLE-12:GA/zziplib bugowner of zziplib : schwab@suse.com
I'd like to know why I'm maintainer of zziplib as I had never touched this library in any way
I also like to know why there are 10 bug reports for one package, compare with https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854727 btw: here I can count 11 bugs in on report ... one is missed here?
http://www.openwall.com/lists/oss-security/2017/02/09/10 http://www.openwall.com/lists/oss-security/2017/02/09/11 http://www.openwall.com/lists/oss-security/2017/02/09/12 http://www.openwall.com/lists/oss-security/2017/02/09/13 http://www.openwall.com/lists/oss-security/2017/02/09/14 http://www.openwall.com/lists/oss-security/2017/02/09/15 http://www.openwall.com/lists/oss-security/2017/02/09/16 http://www.openwall.com/lists/oss-security/2017/02/09/17 http://www.openwall.com/lists/oss-security/2017/02/09/18 http://www.openwall.com/lists/oss-security/2017/02/09/19 http://www.openwall.com/lists/oss-security/2017/02/09/20
Created attachment 717413 [details] memdisk-heap.patch Please try to repoduce this with that patch enabled. This patch simply use the already autodected byte swap functionality instead trying to map little enmdoan on big endian. I see with the patch ~/rpmbuild/BUILD/zziplib-0.13.62> ./Linux_4.4.49-16-default_x86_64.d/bins/unzzipcat-mem /tmp/00150-zziplib-heapoverflow-__zzip_get32 ==31093== Memcheck, a memory error detector ==31093== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==31093== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==31093== Command: /home/abuild/rpmbuild/BUILD/zziplib-0.13.62/Linux_4.4.49-16-default_x86_64.d/bins/.libs/unzzipcat-mem /tmp/00150-zziplib-heapoverflow-__zzip_get32 ==31093== ==31093== ==31093== HEAP SUMMARY: ==31093== in use at exit: 88 bytes in 2 blocks ==31093== total heap usage: 2 allocs, 0 frees, 88 bytes allocated ==31093== ==31093== LEAK SUMMARY: ==31093== definitely lost: 24 bytes in 1 blocks ==31093== indirectly lost: 64 bytes in 1 blocks ==31093== possibly lost: 0 bytes in 0 blocks ==31093== still reachable: 0 bytes in 0 blocks ==31093== suppressed: 0 bytes in 0 blocks ==31093== Rerun with --leak-check=full to see details of leaked memory ==31093== ==31093== For counts of detected and suppressed errors, rerun with: -v ==31093== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 1 from 1)
(In reply to Dr. Werner Fink from comment #7) > I also like to know why there are 10 bug reports for one package, compare > with > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854727 > > btw: here I can count 11 bugs in on report ... one is missed here? I've filed info only from initial link: http://seclists.org/oss-sec/2017/q1/354
(In reply to Dr. Werner Fink from comment #7) > I also like to know why there are 10 bug reports for one package, compare > with > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854727 According to policy a single bug is created per assigned CVE for being able to better track each issue in the update workflow. > btw: here I can count 11 bugs in on report ... one is missed here? This is probably due to bug 1024538 which turned out to be a duplicate of bug 1024532 shortly after being reported on oss-sec.
(In reply to Dr. Werner Fink from comment #9) > Please try to repoduce this with that patch enabled. This patch simply use > the already autodected byte swap functionality instead trying to map little > enmdoan on big endian. Looks good with the patch. No more valgrind invalid reads.
Created attachment 718144 [details] Patch that checks for z_datasie and uses the ZZIP_GET* macros. While it seems to quiet valgrind, it doesn't really take care of the issue: The ZIP file /see below) has been corrupted by over-writing data tags and length values with more or less random data and the zziplib code does not check these and reads whatever it finds. I'm even surprised that valgrind seems to be happy because when I tested the patch against 00150-zziplib-heapoverflow-__zzip_get32 (the reproducer referenced in http://www.openwall.com/lists/oss-security/2017/02/09/10) it still caused errors. I have attached a patch that checks for the size of the record at hand and extracts data only if the size is big enough, using Werner's patch.
request id 129777
SUSE-SU-2017:1095-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1024517,1024528,1024531,1024532,1024533,1024534,1024535,1024536,1024537,1024539 CVE References: CVE-2017-5974,CVE-2017-5975,CVE-2017-5976,CVE-2017-5977,CVE-2017-5978,CVE-2017-5979,CVE-2017-5980,CVE-2017-5981 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Workstation Extension 12-SP1 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Desktop 12-SP2 (src): zziplib-0.13.62-9.1 SUSE Linux Enterprise Desktop 12-SP1 (src): zziplib-0.13.62-9.1
openSUSE-SU-2017:1210-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1024517,1024528,1024531,1024532,1024533,1024534,1024535,1024536,1024537,1024539 CVE References: CVE-2017-5974,CVE-2017-5975,CVE-2017-5976,CVE-2017-5977,CVE-2017-5978,CVE-2017-5979,CVE-2017-5980,CVE-2017-5981 Sources used: openSUSE Leap 42.2 (src): zziplib-0.13.62-10.3.1 openSUSE Leap 42.1 (src): zziplib-0.13.62-10.1
released