Bug 1260944 (CVE-2015-7696, CVE-2015-7697)

Summary: CVE-2015-7696 CVE-2015-7697 unzip: Heap overflow and DoS in 6.0
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: branto, carnil, kdudka, mdshaikh, pstodulk, scorneli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-01 19:14:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1260947    
Bug Blocks: 1260945    
Attachments:
Description Flags
proposed fix
kdudka: review?
[PATCH] extract: prevent unsigned overflow on invalid input scorneli: review+

Description Adam Mariš 2015-09-08 09:37:28 UTC 
Two vulnerabilites were found in unzip 6.0, namely heap overflow and denial of service.

Public post together with error report and reproducers are avalaible at:

http://seclists.org/oss-sec/2015/q3/512
Comment 1 Adam Mariš 2015-09-08 09:39:51 UTC 
Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 1260947]
Comment 2 Kamil Dudka 2015-09-14 16:28:53 UTC 
Created attachment 1073339 [details]
proposed fix
Comment 3 Kamil Dudka 2015-09-14 18:14:00 UTC 
(In reply to Kamil Dudka from comment #2)
> Created attachment 1073339 [details]
> proposed fix

Second part of the patch proposed upstream:

https://sourceforge.net/p/infozip/patches/23/
Comment 5 Stefan Cornelius 2015-09-15 13:35:54 UTC 
The bzip2 compression support is broken in RHEL6 due to an error in the unzip-6.0-bzip2-configure.patch - it passes the -DBZIP2_SUPPORT flag, but (additionally?) requires -DUSE_BZIP2, or it will not process the sigxcpu.zip reproducer:
   skipping: 8?H?                    `bzip2' method not supported

If we compile the RHEL6 version with proper flags, it's affected by the same issue.
Comment 6 Stefan Cornelius 2015-09-15 15:30:25 UTC 
RHEL5 does not support bzip2, so the sigxcpu.zip reproducer has no impact. It is affected by the segfault issue, though.
Comment 8 Fedora Update System 2015-09-21 10:48:45 UTC 
unzip-6.0-23.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Kamil Dudka 2015-09-22 17:22:02 UTC 
Created attachment 1075942 [details]
[PATCH] extract: prevent unsigned overflow on invalid input
Comment 14 Fedora Update System 2015-09-22 22:53:48 UTC 
unzip-6.0-22.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Stefan Cornelius 2015-09-23 09:43:56 UTC 
Comment on attachment 1075942 [details]
[PATCH] extract: prevent unsigned overflow on invalid input

Very good! (Not 100% sure how the review system works. This patch looks good and can go ahead, I hope that's also reflected in the flags. If not, simply ignore the flags).
Comment 16 Kamil Dudka 2015-09-23 10:48:21 UTC 
Thanks for review!  The patch is now included in unzip-6.0-24.fc24:

http://pkgs.fedoraproject.org/cgit/unzip.git/commit/?id=d18f821e
Comment 17 Fedora Update System 2015-10-05 22:52:47 UTC 
unzip-6.0-22.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.