A buffer overflow vulnerability was found in zipinfo (part of the unzip package) when the compression method in the central directory file header is greater then 999. The original Ubuntu bug report: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750 Proposed fix: http://seclists.org/oss-sec/2016/q4/600 References: http://seclists.org/oss-sec/2016/q4/594
This bug is pretty much identical to the similar problem fixed in unzip's list_files() - see CVE-2014-9913 / bug 1401865. This issue is caught by FORTIFY_SOURCE, limiting its impact to a crash of the zipinfo command. Therefore, the issue is not planned to be corrected in the unzip packages in Red Hat Enterprise Linux 5, 6, and 7. (In reply to Andrej Nemec from comment #0) > Proposed fix: > > http://seclists.org/oss-sec/2016/q4/600 Noting proposed fix here for posterity: ALP $ gdiff zipinfo.c;39 zipinfo.c 2568c2568,2579 < sprintf(&methbuf[1], "%03u", G.crec.compression_method); --- > /* 2016-12-05 SMS. > * https://launchpad.net/bugs/1643750 > * Unexpectedly large compression methods overflow > * &methbuf[]. Use the old, three-digit decimal format > * for values which fit. Otherwise, sacrifice the "u", > * and use four-digit hexadecimal. > */ > if (G.crec.compression_method <= 999) { > sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); > } else { > sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); > } I.e. similar fix the one that was used to fix the CVE-2014-9913 issue (see bug 1191136 comment 1). zipinfo.c from unzip 6.0 with the patch applied can be found here: http://antinode.info/ftp/info-zip/unzip60/zipinfo.c
Created unzip tracking bugs for this issue: Affects: fedora-all [bug 1404283]
This issue is planned to be fixed in the future upstream version, that might be called either 6.1 or 7.0. Removed "Fixed In Version" information for now.