Bug 431438 (CVE-2008-0888)

Summary: CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly, security-response-team, varekova
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-25 08:27:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 436530, 436531, 437927    
Bug Blocks:    
Attachments:
Description Flags
Patch against 5.5.2 proposed by Tavis none

Description Tomas Hoger 2008-02-04 15:16:58 UTC 
Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to
free() memory block pointed to by uninitialized pointer or memory block, which
was already freed.  This can cause unzip to crash (SEGV) during extraction of
malicious zip file, possibly allowing code execution.

Further details from Tavis:

  the inflate_dynamic() routine (~978, inflate.c) uses a macro
  NEEDBITS() that jumps execution to a cleanup routine on error, this
  routine attempts to free() two buffers allocated during the inflate
  process. At certain locations, the NEEDBITS() macro is used while the
  pointers are not pointing to valid buffers, they are either
  uninitialised or pointing inside a block that has already been free()d
  (ie, not pointing at the block, but at a location inside it).

Acknowledgements:

Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.
Comment 2 Tomas Hoger 2008-02-04 15:20:50 UTC 
Created attachment 293893 [details]
Patch against 5.5.2 proposed by Tavis
Comment 3 Josh Bressers 2008-03-07 13:35:22 UTC 
This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not
allow a free on an invalid pointer.
Comment 6 Tomas Hoger 2008-03-18 07:30:08 UTC 
Public now:

http://taviso.decsystem.org/research.html
https://issues.rpath.com/browse/RPL-2317
http://marc.info/?l=full-disclosure&m=120579856512587&w=4
Comment 8 Tomas Hoger 2008-03-18 07:55:10 UTC 
Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client
application DoS, which is not considered a security issue.  I've filed tracking
bug for rawhide, so that this issue is addressed in future Fedora and Red Hat
Enterprise Linux versions.
Comment 9 Red Hat Product Security 2008-07-25 08:27:58 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0196.html