Bug 1260944 (CVE-2015-7696, CVE-2015-7697) - CVE-2015-7696 CVE-2015-7697 unzip: Heap overflow and DoS in 6.0
Summary: CVE-2015-7696 CVE-2015-7697 unzip: Heap overflow and DoS in 6.0
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-7696, CVE-2015-7697
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1260947
Blocks: 1260945
TreeView+ depends on / blocked
 
Reported: 2015-09-08 09:37 UTC by Adam Mariš
Modified: 2019-09-29 13:36 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-01 19:14:41 UTC


Attachments (Terms of Use)
proposed fix (1.88 KB, patch)
2015-09-14 16:28 UTC, Kamil Dudka
kdudka: review?
Details | Diff
[PATCH] extract: prevent unsigned overflow on invalid input (1.29 KB, patch)
2015-09-22 17:22 UTC, Kamil Dudka
scorneli: review+
Details | Diff

Description Adam Mariš 2015-09-08 09:37:28 UTC
Two vulnerabilites were found in unzip 6.0, namely heap overflow and denial of service.

Public post together with error report and reproducers are avalaible at:

http://seclists.org/oss-sec/2015/q3/512

Comment 1 Adam Mariš 2015-09-08 09:39:51 UTC
Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 1260947]

Comment 2 Kamil Dudka 2015-09-14 16:28:53 UTC
Created attachment 1073339 [details]
proposed fix

Comment 3 Kamil Dudka 2015-09-14 18:14:00 UTC
(In reply to Kamil Dudka from comment #2)
> Created attachment 1073339 [details]
> proposed fix

Second part of the patch proposed upstream:

https://sourceforge.net/p/infozip/patches/23/

Comment 5 Stefan Cornelius 2015-09-15 13:35:54 UTC
The bzip2 compression support is broken in RHEL6 due to an error in the unzip-6.0-bzip2-configure.patch - it passes the -DBZIP2_SUPPORT flag, but (additionally?) requires -DUSE_BZIP2, or it will not process the sigxcpu.zip reproducer:
   skipping: 8?H?                    `bzip2' method not supported

If we compile the RHEL6 version with proper flags, it's affected by the same issue.

Comment 6 Stefan Cornelius 2015-09-15 15:30:25 UTC
RHEL5 does not support bzip2, so the sigxcpu.zip reproducer has no impact. It is affected by the segfault issue, though.

Comment 8 Fedora Update System 2015-09-21 10:48:45 UTC
unzip-6.0-23.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Kamil Dudka 2015-09-22 17:22:02 UTC
Created attachment 1075942 [details]
[PATCH] extract: prevent unsigned overflow on invalid input

Comment 14 Fedora Update System 2015-09-22 22:53:48 UTC
unzip-6.0-22.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Stefan Cornelius 2015-09-23 09:43:56 UTC
Comment on attachment 1075942 [details]
[PATCH] extract: prevent unsigned overflow on invalid input

Very good! (Not 100% sure how the review system works. This patch looks good and can go ahead, I hope that's also reflected in the flags. If not, simply ignore the flags).

Comment 16 Kamil Dudka 2015-09-23 10:48:21 UTC
Thanks for review!  The patch is now included in unzip-6.0-24.fc24:

http://pkgs.fedoraproject.org/cgit/unzip.git/commit/?id=d18f821e

Comment 17 Fedora Update System 2015-10-05 22:52:47 UTC
unzip-6.0-22.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.