Bug 1174844 (CVE-2014-8139) - CVE-2014-8139 unzip: CRC32 verification heap-based buffer overread (oCERT-2014-011)
Summary: CVE-2014-8139 unzip: CRC32 verification heap-based buffer overread (oCERT-201...
Alias: CVE-2014-8139
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Frantisek Sumsal
Depends On: 1191118 1196120 1196121 1196122 1196123
Blocks: 1174865
TreeView+ depends on / blocked
Reported: 2014-12-16 15:24 UTC by Tomas Hoger
Modified: 2023-09-07 18:39 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way unzip computed the CRC32 checksum of certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option.
Clone Of:
Last Closed: 2015-03-18 21:11:14 UTC

Attachments (Terms of Use)
Upstream patch (1.69 KB, patch)
2014-12-16 15:26 UTC, Tomas Hoger
no flags Details | Diff
patch for fedora (1.70 KB, patch)
2014-12-22 12:06 UTC, Petr Stodulka
no flags Details | Diff
Corrected upstream patch (1.73 KB, patch)
2015-02-09 19:46 UTC, Tomas Hoger
no flags Details | Diff
last corrected upstream patch (3.32 KB, patch)
2015-02-10 15:51 UTC, Petr Stodulka
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1360443 0 None None None Never
Red Hat Product Errata RHSA-2015:0700 0 normal SHIPPED_LIVE Moderate: unzip security update 2015-03-18 22:58:14 UTC

Description Tomas Hoger 2014-12-16 15:24:35 UTC
oCERT reports unzip flaw discovered by Michele Spagnuolo, Google Security Team.

I would like to report a heap overflow condition in the CRC32 verification
of unzip, which may result in arbitrary code execution.

It can be triggered by passing a maliciously crafted zip files to unzip -t
(version 6.00, both InfoZip and Debian).


The problem was an unrealistic/invalid value in a .ZIP Extra Field.  There was
a check (in extract.c:TestExtraField()) for an extra-block length that was too
large, but no check for a too-small value.  In this example, the length
(ebLen) was 1, and when "(ebLen-4)" was passed to crc32(), bad things

A revised extract.c (which adds a new check and error message) should be
available here:



Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Michele Spagnuolo of the Google Security Team as the original reporter.

Comment 2 Tomas Hoger 2014-12-16 15:26:48 UTC
Created attachment 969598 [details]
Upstream patch

Upstream fix, as described in comment 0.

Comment 4 Petr Stodulka 2014-12-22 12:06:21 UTC
Created attachment 971984 [details]
patch for fedora

Original patch has wrong metadadata - '--- extract.c;-1'. Corrected file with and added paths suitable for our package on Fedora/RHEL.

Comment 5 Huzaifa S. Sidhpurwala 2014-12-22 15:50:23 UTC
External Reference:


Comment 6 Andrew Gallagher 2015-01-16 05:51:52 UTC
Sorry if I'm mistaken, but I think this patch is causing "unzip -t" to now fail on executable JARs, which added the additional executable-jar extra field (http://stackoverflow.com/tags/executable-jar/info).

With this patch, extra fields that list a length of zero fail:

$ touch foo
$ jar cvf foo.jar foo
$ unzip -t foo.jar
Archive:  foo.jar
    testing: META-INF/               bad extra-field entry:
      EF block length (0 bytes) invalid (< 4)
    testing: META-INF/MANIFEST.MF     OK
    testing: foo                      OK
At least one error was detected in foo.jar.

Looking at the patch, it seems wrong since I *think* the spec allows this (but I wasn't sure of this).

Comment 9 Tomas Hoger 2015-02-09 19:45:11 UTC
(In reply to Andrew Gallagher from comment #6)
> Sorry if I'm mistaken, but I think this patch is causing "unzip -t" to now
> fail on executable JARs, which added the additional executable-jar extra
> field (http://stackoverflow.com/tags/executable-jar/info).

Upstream report of the issue is:


Upstream acknowledged that the patch was incorrect and changed it to only perform the underflow check for the affected extra field type.  I will attach updated patch version, based on the extract.c version linked from the upstream forum.

Comment 10 Tomas Hoger 2015-02-09 19:46:28 UTC
Created attachment 989833 [details]
Corrected upstream patch

Comment 11 Tomas Hoger 2015-02-09 20:01:12 UTC
The original report suggests code execution impact, but that does not seem to be correct.  As reported, there is and integer underflow triggered by extra field of type EF_PKVMS and with length value less than 4 (i.e. 0-3).  This leads to crc32() function called with length argument close to 2^32 (regardless of the system architecture), and leads to buffer over-read.  This over-read is long - it will trigger crash on 32bit systems, and is likely to trigger crash on 64bit systems as well.  As values read from the buffer are used to compute CRC value and are not copied to some other buffer, this does not corrupt memory, and hence does not have code execution impact.

Affected code is only reached when running unzip in the test mode (unzip -t), but not when extracting zip archives.

Comment 12 Tomas Hoger 2015-02-10 13:36:55 UTC
Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 1191118]

Comment 13 Petr Stodulka 2015-02-10 15:51:28 UTC
Created attachment 990132 [details]
last corrected upstream patch

This is upstream patch which is part of last devel version. There are aesthetic (more readable) changes.

Comment 14 Fedora Update System 2015-02-16 03:25:42 UTC
unzip-6.0-20.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2015-02-23 23:25:16 UTC
unzip-6.0-17.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Martin Prpič 2015-02-25 10:25:05 UTC

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates in Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/

Comment 21 Dave Sullivan 2015-03-17 13:15:31 UTC
Hi Tomas,

Can you be more specific on comment #11?

I'm assuming by crash you mean userspace unzip crash and not system crash.

I'm fairly certain that is what you are inferring but figured I'd ask anyway.



Comment 22 errata-xmlrpc 2015-03-18 18:59:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:0700 https://rhn.redhat.com/errata/RHSA-2015-0700.html

Note You need to log in before you can comment on or make changes to this bug.