Bug 1024534 – VUL-1: CVE-2017-5977: zziplib: invalid memory read in zzip_mem_entry_extra_block (memdisk.c)

Bug 1024534 - (CVE-2017-5977) VUL-1: CVE-2017-5977: zziplib: invalid memory read in zzip_mem_entry_extra_block (memdisk.c)

(CVE-2017-5977)
Summary:	VUL-1: CVE-2017-5977: zziplib: invalid memory read in zzip_mem_entry_extra_bl...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:NVD:CVE-2017-5977:4.3:(AV:N/AC...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-02-09 14:31 UTC by Mikhail Kasimov
Modified:	2018-10-04 12:15 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2017-02-09 14:31:47 UTC

Ref: http://seclists.org/oss-sec/2017/q1/359
==============================================
Description:
zziplib is an intentionally lightweight library that offers the ability to 
easily extract data from files archived in a single zip file.

A fuzz on it discovered an invalid memory read.

The complete ASan output:

# unzzipcat-mem $FILE
==7950==ERROR: AddressSanitizer: SEGV on unknown address 0x603000014e32 (pc 
0x7f414b4c8693 bp 0x7fff48f3ff70 sp 0x7fff48f3fe40 T0)
==7950==The signal is caused by a READ memory access.
    #0 0x7f414b4c8692 in zzip_mem_entry_extra_block /tmp/portage/dev-
libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:248:20
    #1 0x7f414b4c8692 in zzip_mem_entry_new /tmp/portage/dev-
libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:218
    #2 0x7f414b4c8692 in zzip_mem_disk_load /tmp/portage/dev-
libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #3 0x7f414b4c78b7 in zzip_mem_disk_open /tmp/portage/dev-
libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #4 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-
r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #5 0x7f414a60761f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/zziplib-0.13.62-
r1/work/zziplib-0.13.62/zzip/memdisk.c:248:20 in zzip_mem_entry_extra_block
==7950==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00153-zziplib-invalidread-zzip_mem_entry_extra_block

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c

-- 
Agostino Sarubbo
Gentoo Linux Developer
==============================================

https://software.opensuse.org/package/zziplib

TW|42.(1|2): 0.13.62

A note about the multiple crashes in zziplib: http://seclists.org/oss-sec/2017/q1/365

Comment 1 Matthias Gerstner 2017-02-09 15:28:26 UTC

The only codestream SUSE:SLE-12:Update is affected.

The library seems to be only used for a texlive component: luatex -> luazip.

As the reporter of these issues says in:

  http://seclists.org/oss-sec/2017/q1/365

the upstream project appears dead and there was no release for five years.

QA reproducer:

Using the PoC file from

  https://github.com/asarubbo/poc/blob/master/00153-zziplib-invalidread-zzip_mem_entry_extra_block

I could reproduce the issue on Leap 42.2:

  - install zziplib-devel
  - run `valgrind unzzipcat-mem 00153-zziplib-invalidread-zzip_mem_entry_extra_block`
  - it will print an invalid read of size 2

Comment 2 Swamp Workflow Management 2017-02-09 23:01:25 UTC

bugbot adjusting priority

Comment 3 Matthias Gerstner 2017-02-14 10:00:40 UTC

CVE-2017-5977 has been assigned: http://www.openwall.com/lists/oss-security/2017/02/14/3

Comment 4 Josef Möllers 2017-03-23 09:35:20 UTC

request id 129777

Comment 5 Swamp Workflow Management 2017-04-24 13:09:33 UTC

SUSE-SU-2017:1095-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1024517,1024528,1024531,1024532,1024533,1024534,1024535,1024536,1024537,1024539
CVE References: CVE-2017-5974,CVE-2017-5975,CVE-2017-5976,CVE-2017-5977,CVE-2017-5978,CVE-2017-5979,CVE-2017-5980,CVE-2017-5981
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    zziplib-0.13.62-9.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    zziplib-0.13.62-9.1

Comment 6 Swamp Workflow Management 2017-05-08 16:20:47 UTC

openSUSE-SU-2017:1210-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1024517,1024528,1024531,1024532,1024533,1024534,1024535,1024536,1024537,1024539
CVE References: CVE-2017-5974,CVE-2017-5975,CVE-2017-5976,CVE-2017-5977,CVE-2017-5978,CVE-2017-5979,CVE-2017-5980,CVE-2017-5981
Sources used:
openSUSE Leap 42.2 (src):    zziplib-0.13.62-10.3.1
openSUSE Leap 42.1 (src):    zziplib-0.13.62-10.1

Comment 7 Marcus Meissner 2017-07-04 14:29:45 UTC

released