Bug 1401864 (CVE-2016-9844)

Summary: CVE-2016-9844 unzip: methbuf[] buffer overflow in zipinfo's zi_short()
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jamartis, pstodulk, sardella
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-13 14:25:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1404283    
Bug Blocks: 1401866    

Description Andrej Nemec 2016-12-06 09:40:12 UTC 
A buffer overflow vulnerability was found in zipinfo (part of the unzip package) when the compression method in the central directory file header is greater then 999.

The original Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750

Proposed fix:

http://seclists.org/oss-sec/2016/q4/600

References:

http://seclists.org/oss-sec/2016/q4/594
Comment 1 Tomas Hoger 2016-12-13 14:20:46 UTC 
This bug is pretty much identical to the similar problem fixed in unzip's list_files() - see CVE-2014-9913 / bug 1401865.

This issue is caught by FORTIFY_SOURCE, limiting its impact to a crash of the zipinfo command.  Therefore, the issue is not planned to be corrected in the unzip packages in Red Hat Enterprise Linux 5, 6, and 7.

(In reply to Andrej Nemec from comment #0)
> Proposed fix:
> 
> http://seclists.org/oss-sec/2016/q4/600

Noting proposed fix here for posterity:

ALP $ gdiff zipinfo.c;39 zipinfo.c
2568c2568,2579
<         sprintf(&methbuf[1], "%03u", G.crec.compression_method);
---
>         /* 2016-12-05 SMS.
>          * https://launchpad.net/bugs/1643750
>          * Unexpectedly large compression methods overflow
>          * &methbuf[].  Use the old, three-digit decimal format
>          * for values which fit.  Otherwise, sacrifice the "u",
>          * and use four-digit hexadecimal.
>          */
>         if (G.crec.compression_method <= 999) {
>             sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
>         } else {
>             sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
>         }

I.e. similar fix the one that was used to fix the CVE-2014-9913 issue (see bug 1191136 comment 1).  zipinfo.c from unzip 6.0 with the patch applied can be found here:

http://antinode.info/ftp/info-zip/unzip60/zipinfo.c
Comment 2 Tomas Hoger 2016-12-13 14:23:21 UTC 
Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 1404283]
Comment 3 Tomas Hoger 2016-12-13 14:25:22 UTC 
This issue is planned to be fixed in the future upstream version, that might be called either 6.1 or 7.0.  Removed "Fixed In Version" information for now.