Bug 1401864 – CVE-2016-9844 unzip: methbuf[] buffer overflow in zipinfo's zi_short()

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1401864 - (CVE-2016-9844) CVE-2016-9844 unzip: methbuf[] buffer overflow in zipinfo's zi_short()

Summary:	CVE-2016-9844 unzip: methbuf[] buffer overflow in zipinfo's zi_short()

Status:	CLOSED WONTFIX

Aliases:	CVE-2016-9844

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20161205,reported=2...
Keywords:	Security

Depends On:	1404283
Blocks:	1401866
	Show dependency tree / graph

Reported:	2016-12-06 04:40 EST by Andrej Nemec
Modified:	2016-12-13 09:26 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-12-13 09:25:22 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-12-06 04:40:12 EST

A buffer overflow vulnerability was found in zipinfo (part of the unzip package) when the compression method in the central directory file header is greater then 999.

The original Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750

Proposed fix:

http://seclists.org/oss-sec/2016/q4/600

References:

http://seclists.org/oss-sec/2016/q4/594

Comment 1 Tomas Hoger 2016-12-13 09:20:46 EST

This bug is pretty much identical to the similar problem fixed in unzip's list_files() - see CVE-2014-9913 / bug 1401865.

This issue is caught by FORTIFY_SOURCE, limiting its impact to a crash of the zipinfo command.  Therefore, the issue is not planned to be corrected in the unzip packages in Red Hat Enterprise Linux 5, 6, and 7.

(In reply to Andrej Nemec from comment #0)
> Proposed fix:
> 
> http://seclists.org/oss-sec/2016/q4/600

Noting proposed fix here for posterity:

ALP $ gdiff zipinfo.c;39 zipinfo.c
2568c2568,2579
<         sprintf(&methbuf[1], "%03u", G.crec.compression_method);
---
>         /* 2016-12-05 SMS.
>          * https://launchpad.net/bugs/1643750
>          * Unexpectedly large compression methods overflow
>          * &methbuf[].  Use the old, three-digit decimal format
>          * for values which fit.  Otherwise, sacrifice the "u",
>          * and use four-digit hexadecimal.
>          */
>         if (G.crec.compression_method <= 999) {
>             sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
>         } else {
>             sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
>         }

I.e. similar fix the one that was used to fix the CVE-2014-9913 issue (see bug 1191136 comment 1).  zipinfo.c from unzip 6.0 with the patch applied can be found here:

http://antinode.info/ftp/info-zip/unzip60/zipinfo.c

Comment 2 Tomas Hoger 2016-12-13 09:23:21 EST

Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 1404283]

Comment 3 Tomas Hoger 2016-12-13 09:25:22 EST

This issue is planned to be fixed in the future upstream version, that might be called either 6.1 or 7.0.  Removed "Fixed In Version" information for now.

Note You need to log in before you can comment on or make changes to this bug.