Bug 1543941 (CVE-2018-6869)

Summary: CVE-2018-6869 zziplib: uncontrolled memory allocation in __zzip_parse_root_directory in zzip/zip.c
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, jamartis, rschiron
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zziplib 0.13.68 Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled memory allocation was found in ZZIPlib that could lead to a crash in the __zzip_parse_root_directory function of zzip/zip.c if the package is compiled with Address Sanitizer. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-15 17:31:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1543942, 1545309, 1545818    
Bug Blocks: 1543953    

Description Laura Pardo 2018-02-09 15:44:37 UTC 
A flaw was found in ZZIPlib prior to version 0.13.68. There is an uncontrolled
memory allocation and, when the library is compiled with AddressSanitizer v4, a
crash in the __zzip_parse_root_directory function of zzip/zip.c. Remote
attackers could leverage this vulnerability to cause a denial of service via a
crafted zip file.

Upstream issue:
https://github.com/gdraheim/zziplib/issues/22

Upstream patch:
https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3
Comment 1 Laura Pardo 2018-02-09 15:45:01 UTC 
Created zziplib tracking bugs for this issue:

Affects: fedora-all [bug 1543942]
Comment 2 Riccardo Schirone 2018-02-12 16:21:14 UTC 
Patch: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3
Comment 3 Riccardo Schirone 2018-02-14 14:03:44 UTC 
In [1] it is stated that version 0.13.68 is affected as well, but after further analysis we could not reproduce the issue there. Moreover the crash happens only when the library is compiled with AddressSanitizer v4, which reports an error when it tries to allocate a huge amount of memory [2]. When the library is compiled with AddressSanitizer v5 and the option `allocator_may_return_null=1` is used, the library correctly handles the malformed zip.

[1] https://github.com/gdraheim/zziplib/issues/22
[2] https://github.com/google/sanitizers/issues/889
Comment 9 Andrej Nemec 2018-05-14 13:57:29 UTC 
Statement:

Red Hat Product Security has rated this issue as having security impact of Low. This issue does not affect the versions of ZZIPlib as shipped in Red Hat Enterprise Linux 7, unless the package is recompiled with Address Sanitizer. The flaw is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.