Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1010 Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138228 ------- Additional Comments From rob.myers.edu 2004-11-09 06:40:18 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated zip packages to QA for rh73, rh90, and fc1: - - CAN-2004-1010 should be fixed changelogs: rh73: * Tue Nov 09 2004 Rob Myers <rob.myers.edu> 2.3-12.1.legacy - - apply patch for CAN-2004-1010 (FL #2255) rh9: * Tue Nov 09 2004 Rob Myers <rob.myers.edu> 2.3-16.1.legacy - - apply patch for CAN-2004-1010 (FL #2255) fc1: * Tue Nov 09 2004 Rob Myers <rob.myers.edu> 2.3-18.1.legacy - - apply patch for CAN-2004-1010 (FL #2255) sha1sums: rh73: b4e594bb8d235dfbfb4e626cae67727a1fdeb594 zip-2.3-12.1.legacy.i386.rpm 4e14d0ce637f94b13001bb6335883602a92277ec zip-2.3-12.1.legacy.src.rpm rh9: febd215e2e6eea0424530c22250c0d3761774cd2 zip-2.3-16.1.legacy.i386.rpm 8b4ec1a0ec6fc26fa0e8ba195322cca7fa51ab80 zip-2.3-16.1.legacy.src.rpm 838f11429d1b98fe630d1014036046a00892b59f zip-debuginfo-2.3-16.1.legacy.i386.rpm fc1: f16d5636c9608cfbb025b9ed2b8c3b9fe6e7848f zip-2.3-18.1.legacy.i386.rpm 3ad0f8ef9c5e7226fd6ec1739522d815c5f5123c zip-2.3-18.1.legacy.src.rpm 3f418a2f47a60c7577405aa0d4b2eb8c51a7639b zip-debuginfo-2.3-18.1.legacy.i386.rpm files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-12.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-12.1.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-16.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-16.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-debuginfo-2.3-16.1.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-18.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-18.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-debuginfo-2.3-18.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBkPK/tU2XAt1OWnsRAoFZAKDwmfe5Ge6ouNWplgdPReP9zwvwoQCfVfSX 9yWll0e9h1pEY5rVqj/TwNo= =iART -----END PGP SIGNATURE----- ------- Additional Comments From michal 2004-11-09 14:50:48 ---- The patch seems to taken from an attachment to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138230 OTOH freshly released zip-2.3-26.2.src.rpm and zip-2.3-26.3.src.rpm for FC2 and FC3 respectively, and which do not differ beyond "recompiled" remark in specs, do that in somewhat different way and also include other patches. zip-2.3-26.2.src.rpm recomplies without any changes, and works AFAICT, on RH7.3 so likely also on everything else in between. :-) It is likely a good idea to use the same sources in "legacy" and change only release identifiers. ------- Additional Comments From rob.myers.edu 2004-11-10 06:31:43 ---- yes that is where the patch was from. i see that the patch they actually included in zip-2.3-26 is simpler, if not as flexible. i think both patches solve CAN-2004-1010. am i correct? if so which should we use? should we just use zip-2.3-2? as far as the other patches in zip-2.3-26 are concerned: - the near 4gb patch seems to be a feature enhancement - the umask patch could be security relevent i agree that if zip-2.3-26 works on rh73 it will work on everything else. let me know if i should just respin zip-2.3-26 for each of these architectures. ------- Additional Comments From rob.myers.edu 2004-11-10 07:33:17 ---- sorry, that should read: should we just use zip-2.3-26? ------- Additional Comments From rob.myers.edu 2004-11-16 06:56:13 ---- since no one has QA'd the others, might as well make it easy on them. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated zip packages to QA for rh73, rh90, and fc1: - - respun from the same FC2/FC3 src rpm; only diffence are the release numbers. following same methodology/reasoning as the unarj fix (bug #2272). - - CAN-2004-1010 should be fixed changelogs: rh73: * Tue Nov 16 2004 Rob Myers <rob.myers.edu> 2.3-26.1.0.7.3.legacy - - Rebuild for rh73 legacy - - resolves CAN-2004-1010 (FL #2255) rh9: * Tue Nov 16 2004 Rob Myers <rob.myers.edu> 2.3-26.1.0.9.legacy - - Rebuild for rh9 legacy - - resolves CAN-2004-1010 (FL #2255) fc1: * Tue Nov 16 2004 Rob Myers <rob.myers.edu> 2.3-26.1.1.legacy - - Rebuild for fc1 legacy - - resolves CAN-2004-1010 (FL #2255) sha1sums: rh73: fb88642076f818b4cfdb8cb76b85a64667aee774 zip-2.3-26.1.0.7.3.legacy.i386.rpm bd918003599add06373db5340ffcafbdc7f4c462 zip-2.3-26.1.0.7.3.legacy.src.rpm rh9: c3f82df55d9a4b8a6fec6f2eaa20c593db24741f zip-2.3-26.1.0.9.legacy.i386.rpm 737ba866666c1fcdc8d5d96e195f9cea1dfe405d zip-2.3-26.1.0.9.legacy.src.rpm e170f485059437f38a01e21f3b0f2b8b75be1e5d zip-debuginfo-2.3-26.1.0.9.legacy.i386.rpm fc1: 841029ffdbce50d8bccdae1a8e60f2bb225c48aa zip-2.3-26.1.1.legacy.i386.rpm e667a0e9013d645441534eab4f94426ca4fb9ca3 zip-2.3-26.1.1.legacy.src.rpm c76a2eba7ec8b4b48491c94eccaf294c782c854e zip-debuginfo-2.3-26.1.1.legacy.i386.rpm files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.0.7.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.0.7.3.legacy.src.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.0.9.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.0.9.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-debuginfo-2.3-26.1.0.9.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-debuginfo-2.3-26.1.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBmjC8tU2XAt1OWnsRAizIAJ0S6NGj2Z9sHkcd2K3sFroMekzMNACfV6Uw T27Os7l8wRSUj4vh0N+uWFo= =troq -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-15 02:16:53 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ran rpm-build-compare against the binaries and source RPMS for RHL73/9/FC1; the backport from FC3 was OK, only version number and changelog changed. - - rebuild OK on RHL73/RHL9. - - installs and works OK on RHL73. +PUBLISH 73,9,FC1 fb88642076f818b4cfdb8cb76b85a64667aee774 zip-2.3-26.1.0.7.3.legacy.i386.rpm bd918003599add06373db5340ffcafbdc7f4c462 zip-2.3-26.1.0.7.3.legacy.src.rpm c3f82df55d9a4b8a6fec6f2eaa20c593db24741f zip-2.3-26.1.0.9.legacy.i386.rpm 737ba866666c1fcdc8d5d96e195f9cea1dfe405d zip-2.3-26.1.0.9.legacy.src.rpm e667a0e9013d645441534eab4f94426ca4fb9ca3 zip-2.3-26.1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBwCrjGHbTkzxSL7QRAsXNAJ9vJGAacHXi9VGGX024NzhfMNHUHACeNszs SyldM/oAtkb/d32LuHwrAZk= =n+Mh -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-12-18 06:55:27 ---- see https://rhn.redhat.com/errata/RHSA-2004-634.html ------- Additional Comments From marcdeslauriers 2004-12-18 09:18:28 ---- Pushed to updates-testing ------- Additional Comments From jimpop 2004-12-18 09:50:33 ---- +VERIFIED 73 0ff8f3d2abcd7534fbfaebd1aa3f4590 zip-2.3-26.1.0.7.3.legacy.i386.rpm ------- Additional Comments From mark.scott 2004-12-19 13:57:53 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SHA1sum: 9ef4498e118ca6b4a8f72b02fecde57924d51267 zip-2.3-26.1.1.legacy.i386.rpm rpm --checksig -v reports all ok Package installs fine on FC1. Test zip/unzip (using cd /usr/bin/; zip -r foo.zip *) worked fine. Also tried exploit as given on web page below and it resulted in zip complaining about a path being too long, i.e. zip is successfully fixed. http://lists.netsys.com/pipermail/full-disclosure/2004-November/028379.html VERIFIED FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBxhVHl2I0fYrP+68RAskjAJ4lbXvVp9u30y4D+961/VIMiYZvgACgzRG+ y7BHfIeSyaLGhB4Ye+aFzE4= =63vJ -----END PGP SIGNATURE----- ------- Additional Comments From mark.scott 2004-12-19 14:04:26 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bugzilla broke above sig due to line wrapping the big para. I certify it was written by myself. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBxhbvl2I0fYrP+68RAvUmAKDEiiJp9HdKUh21WUh8S1lVo+Et8QCgmrrs QSQdCh8EeuRjnQaCGTktbwQ= =pwpk -----END PGP SIGNATURE----- ------- Additional Comments From madhatter 2004-12-19 20:47:25 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 95966b2b9fdac8f17c74226c3c033b24dd6c9226 zip-2.3-26.1.0.9.legacy.i386.rpm Package installs fine on RH9. Test zip/unzip base functions cd mail/Archive/2004/11 zip /tmp/zipfile . cd /tmp/foodir unzip -t /tmp/zipfile.zip unzip -x /tmp/zipfile.zip Works fine. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBxnVPePtvKV31zw4RAt1bAKDIIQb1oTeNEM1OEkhZWbMemuG/+wCfRo5s wsB+0OlJc+D5NuXHCT2oXAI= =tXf/ -----END PGP SIGNATURE----- ------- Additional Comments From jimpop 2004-12-20 11:20:55 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +VERIFIED 73 0ff8f3d2abcd7534fbfaebd1aa3f4590 zip-2.3-26.1.0.7.3.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBxzjSuhh7yV/E9I4RAuR8AJ4wwqKeVxHuT4KT/QP4G6cS6a4nvgCfUfu2 NHNw1ZlXZjvLOfMgfoDBqzU= =afQ8 -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2005-01-06 13:00:18 ---- Although I note that his bug is posted in Dominic's issues.txt (revision 1.152) as already verified, am doing this anyway. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For the sake of completeness, in addition to verifying the binary updates- testing package, I did QA on Rob's zip FC1 src.rpm package in comment 5 (equivalent to the src.rpm package in updates-testing), just to make sure it compiles, installs, and runs well on FC1. e667a0e9013d645441534eab4f94426ca4fb9ca3 zip-2.3-26.1.1.legacy.src.rpm - sha1sum OK - PGP signature okay - source .tar.gz's = the ones in FC2's zip-2.3-26.2.src.rpm package at http://download.fedora.redhat.com/ - all patch files are same as those in FC2's .src.rpm - spec file looks good; same as FC2's except for addition to changelog - Builds OK. - rpm-build-compare.sh script output looks good on .i386.rpm - Installs fine. - runs fine. +PUBLISH FC1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Verification on binary package in updates-testing: 2dcdfc8e6ac63e2b74cf7c781c078773e0265eb8 zip-2.3-26.1.1.legacy.src.rpm - sha1sum OK - PGP signature okay - installs fine - rpm-build-compares.sh script looks good (compared with zip-2.3-18.i386.rpm in FC1 base) - runs fine. +VERIFY FC1 -David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFB3cFkxou1V/j9XZwRAgWiAJ9Je1hpLP/A3HuPMNX/C0pUSIrPYQCgpdiw 86LT2ylPmTJYl/3DibcLOog= =m50F -----END PGP SIGNATURE----- ------- Additional Comments From deisenst 2005-01-06 14:08:51 ---- Oops. Ended up making a change to the .ASC file I submitted in comment 14 after already signing it. Please substitute the following signature for the one in comment 14 to verify it was signed by me. Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Signature for http://bugzilla.fedora.us/show_bug.cgi?id=2255#c14 iD8DBQFB3dILxou1V/j9XZwRAgZ/AKC2jbadf+3JHQ+rAENa76izGnyJYgCgsLgh fn9QxrVEL48dTjY7kJA6Xv4= =w5Jr -----END PGP SIGNATURE----- ------- Additional Comments From dom 2005-01-08 16:17:15 ---- http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/2255-zip-draft.txt ------- Additional Comments From pekkas 2005-01-08 21:51:24 ---- The cross references and CVE names suffer from a cut-n-paste-o. The correct ones are: Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2255 CVE Names: CAN-2004-1010 Otherwise looks good. ------- Additional Comments From marcdeslauriers 2005-02-01 18:23:50 ---- Packages were released as updates. ------- Bug moved to this database by dkl 2005-03-30 18:29 ------- This bug previously known as bug 2255 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2255 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was fedora-legacy-bugzilla-2004. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.