Bug 1260944 - (CVE-2015-7696, CVE-2015-7697) CVE-2015-7696 CVE-2015-7697 unzip: Heap overflow and DoS in 6.0
CVE-2015-7696 CVE-2015-7697 unzip: Heap overflow and DoS in 6.0
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150907,repor...
: Security
Depends On: 1260947
Blocks: 1260945
  Show dependency treegraph
 
Reported: 2015-09-08 05:37 EDT by Adam Mariš
Modified: 2016-06-01 15:14 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-01 15:14:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed fix (1.88 KB, patch)
2015-09-14 12:28 EDT, Kamil Dudka
kdudka: review?
Details | Diff
[PATCH] extract: prevent unsigned overflow on invalid input (1.29 KB, patch)
2015-09-22 13:22 EDT, Kamil Dudka
scorneli: review+
Details | Diff

  None (edit)
Description Adam Mariš 2015-09-08 05:37:28 EDT
Two vulnerabilites were found in unzip 6.0, namely heap overflow and denial of service.

Public post together with error report and reproducers are avalaible at:

http://seclists.org/oss-sec/2015/q3/512
Comment 1 Adam Mariš 2015-09-08 05:39:51 EDT
Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 1260947]
Comment 2 Kamil Dudka 2015-09-14 12:28:53 EDT
Created attachment 1073339 [details]
proposed fix
Comment 3 Kamil Dudka 2015-09-14 14:14:00 EDT
(In reply to Kamil Dudka from comment #2)
> Created attachment 1073339 [details]
> proposed fix

Second part of the patch proposed upstream:

https://sourceforge.net/p/infozip/patches/23/
Comment 5 Stefan Cornelius 2015-09-15 09:35:54 EDT
The bzip2 compression support is broken in RHEL6 due to an error in the unzip-6.0-bzip2-configure.patch - it passes the -DBZIP2_SUPPORT flag, but (additionally?) requires -DUSE_BZIP2, or it will not process the sigxcpu.zip reproducer:
   skipping: 8?H?                    `bzip2' method not supported

If we compile the RHEL6 version with proper flags, it's affected by the same issue.
Comment 6 Stefan Cornelius 2015-09-15 11:30:25 EDT
RHEL5 does not support bzip2, so the sigxcpu.zip reproducer has no impact. It is affected by the segfault issue, though.
Comment 8 Fedora Update System 2015-09-21 06:48:45 EDT
unzip-6.0-23.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Kamil Dudka 2015-09-22 13:22 EDT
Created attachment 1075942 [details]
[PATCH] extract: prevent unsigned overflow on invalid input
Comment 14 Fedora Update System 2015-09-22 18:53:48 EDT
unzip-6.0-22.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Stefan Cornelius 2015-09-23 05:43:56 EDT
Comment on attachment 1075942 [details]
[PATCH] extract: prevent unsigned overflow on invalid input

Very good! (Not 100% sure how the review system works. This patch looks good and can go ahead, I hope that's also reflected in the flags. If not, simply ignore the flags).
Comment 16 Kamil Dudka 2015-09-23 06:48:21 EDT
Thanks for review!  The patch is now included in unzip-6.0-24.fc24:

http://pkgs.fedoraproject.org/cgit/unzip.git/commit/?id=d18f821e
Comment 17 Fedora Update System 2015-10-05 18:52:47 EDT
unzip-6.0-22.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.