Bug 1597486 (CVE-2018-12913)

Summary: CVE-2018-12913 miniz: Infinite loop in tinfl_decompress() allows for denial of service via crafted file
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ppisar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:31:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1597487, 1597488, 1597489    
Bug Blocks:    

Description Sam Fowler 2018-07-03 04:10:42 UTC 
Miniz through version 2.0.7 has an infinite loop in the tinfl_decompress() function. An attacker could exploit this to cause a denial of service via crafted file.


Upstream Issue:

https://github.com/richgel999/miniz/issues/90
Comment 1 Sam Fowler 2018-07-03 04:11:08 UTC 
Created miniz tracking bugs for this issue:

Affects: epel-all [bug 1597488]
Affects: fedora-all [bug 1597487]
Comment 3 Sam Fowler 2018-07-03 04:34:25 UTC 
Reproduced with miniz-1.15-7.r4.fc27.x86_64:

sh-4.4# gdb -q example3 
Reading symbols from example3...done.
(gdb) r d dos-an-infinite-loop-miniz_tinfl-c-398.poc out
Starting program: /builddir/example3 d dos-an-infinite-loop-miniz_tinfl-c-398.poc out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
miniz.c version: 9.1.15
Mode: d, Level: 9
Input File: "dos-an-infinite-loop-miniz_tinfl-c-398.poc"
Output File: "out"
Input file size: 16384
^C
Program received signal SIGINT, Interrupt.
0x00007ffff6c1402f in tinfl_decompress (r=r@entry=0x62e000000400, pIn_buf_next=<optimized out>, pIn_buf_size=pIn_buf_size@entry=0x7fffffffe328, 
    pOut_buf_start=pOut_buf_start@entry=0x62e000002f0c "", pOut_buf_next=<optimized out>, pOut_buf_size=pOut_buf_size@entry=0x7fffffffe330, decomp_flags=<optimized out>) at miniz.c:1586
1586	miniz.c: No such file or directory.
Missing separate debuginfos, use: dnf debuginfo-install libasan-7.3.1-5.fc27.x86_64 libgcc-7.3.1-5.fc27.x86_64 libstdc++-7.3.1-5.fc27.x86_64
(gdb) bt
#0  0x00007ffff6c1402f in tinfl_decompress (r=r@entry=0x62e000000400, pIn_buf_next=<optimized out>, pIn_buf_size=pIn_buf_size@entry=0x7fffffffe328, 
    pOut_buf_start=pOut_buf_start@entry=0x62e000002f0c "", pOut_buf_next=<optimized out>, pOut_buf_size=pOut_buf_size@entry=0x7fffffffe330, decomp_flags=<optimized out>) at miniz.c:1586
#1  0x00007ffff6c15658 in mz_inflate (pStream=0x7fffffffe410, flush=<optimized out>) at miniz.c:1271
#2  0x0000000000401a62 in main (argc=4, argv=0x7fffffffe5b8) at example3.c:221

sh-4.4# ./example3 d dos-an-infinite-loop-miniz_tinfl-c-398.poc out &>/dev/null &
[1] 128
sh-4.4# ps aux | grep example3
root       128 68.5  0.0 21474916484 10188 ?   R    14:32   0:08 ./example3 d dos-an-infinite-loop-miniz_tinfl-c-398.poc out # Note CPU and virtual memory
Comment 5 Petr Pisar 2021-08-11 12:27:29 UTC 
2.2.0 is still affected. Upstream cannot understand that a bogus archive is a vulnerability in the code.
Comment 6 Petr Pisar 2022-11-01 11:42:31 UTC 
3.0.0 is still affected.