Bug 431438 (CVE-2008-0888)
|Summary:||CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer|
|Product:||[Other] Security Response||Reporter:||Tomas Hoger <thoger>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||kreilly, security-response-team, varekova|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-07-25 08:27:58 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||436530, 436531, 437927|
Description Tomas Hoger 2008-02-04 15:16:58 UTC
Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to free() memory block pointed to by uninitialized pointer or memory block, which was already freed. This can cause unzip to crash (SEGV) during extraction of malicious zip file, possibly allowing code execution. Further details from Tavis: the inflate_dynamic() routine (~978, inflate.c) uses a macro NEEDBITS() that jumps execution to a cleanup routine on error, this routine attempts to free() two buffers allocated during the inflate process. At certain locations, the NEEDBITS() macro is used while the pointers are not pointing to valid buffers, they are either uninitialised or pointing inside a block that has already been free()d (ie, not pointing at the block, but at a location inside it). Acknowledgements: Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.
Comment 2 Tomas Hoger 2008-02-04 15:20:50 UTC
Created attachment 293893 [details] Patch against 5.5.2 proposed by Tavis
Comment 3 Josh Bressers 2008-03-07 13:35:22 UTC
This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not allow a free on an invalid pointer.
Comment 6 Tomas Hoger 2008-03-18 07:30:08 UTC
Comment 8 Tomas Hoger 2008-03-18 07:55:10 UTC
Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client application DoS, which is not considered a security issue. I've filed tracking bug for rawhide, so that this issue is addressed in future Fedora and Red Hat Enterprise Linux versions.