152839 – CAN-2004-1010 zip long path buffer overflow

Bug 152839 - CAN-2004-1010 zip long path buffer overflow

Summary: CAN-2004-1010 zip long path buffer overflow

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora Legacy
Classification:	Retired
Component:	Package request
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Fedora Legacy Bugs
QA Contact:
Docs Contact:
URL:	http://www.hexview.com/docs/20041103-...
Whiteboard:	1, LEGACY, rh73, rh90
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-08 22:15 UTC by David Lawrence
Modified:	2008-05-01 15:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description David Lawrence 2005-03-30 23:29:15 UTC

Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using
recursive folder compression, allows remote attackers to execute arbitrary code
via a ZIP file containing a long pathname.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1010

Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138228



------- Additional Comments From rob.myers.edu 2004-11-09 06:40:18 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated zip packages to QA for rh73, rh90, and fc1:
  
- - CAN-2004-1010 should be fixed
 
changelogs:
 
rh73:
* Tue Nov 09 2004 Rob Myers <rob.myers.edu> 2.3-12.1.legacy
- - apply patch for CAN-2004-1010 (FL #2255)
 
rh9:
* Tue Nov 09 2004 Rob Myers <rob.myers.edu> 2.3-16.1.legacy
- - apply patch for CAN-2004-1010 (FL #2255)
 
fc1:
* Tue Nov 09 2004 Rob Myers <rob.myers.edu> 2.3-18.1.legacy
- - apply patch for CAN-2004-1010 (FL #2255)
  
sha1sums:
 
rh73:
b4e594bb8d235dfbfb4e626cae67727a1fdeb594  zip-2.3-12.1.legacy.i386.rpm
4e14d0ce637f94b13001bb6335883602a92277ec  zip-2.3-12.1.legacy.src.rpm
 
rh9:
febd215e2e6eea0424530c22250c0d3761774cd2  zip-2.3-16.1.legacy.i386.rpm
8b4ec1a0ec6fc26fa0e8ba195322cca7fa51ab80  zip-2.3-16.1.legacy.src.rpm
838f11429d1b98fe630d1014036046a00892b59f  zip-debuginfo-2.3-16.1.legacy.i386.rpm
 
fc1:
f16d5636c9608cfbb025b9ed2b8c3b9fe6e7848f  zip-2.3-18.1.legacy.i386.rpm
3ad0f8ef9c5e7226fd6ec1739522d815c5f5123c  zip-2.3-18.1.legacy.src.rpm
3f418a2f47a60c7577405aa0d4b2eb8c51a7639b  zip-debuginfo-2.3-18.1.legacy.i386.rpm
  
files:
 
rh73:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-12.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-12.1.legacy.i386.rpm
 
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-16.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-16.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-debuginfo-2.3-16.1.legacy.i386.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-18.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-18.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-debuginfo-2.3-18.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBkPK/tU2XAt1OWnsRAoFZAKDwmfe5Ge6ouNWplgdPReP9zwvwoQCfVfSX
9yWll0e9h1pEY5rVqj/TwNo=
=iART
-----END PGP SIGNATURE-----




------- Additional Comments From michal 2004-11-09 14:50:48 ----

The patch seems to taken from an attachment to
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138230

OTOH freshly released zip-2.3-26.2.src.rpm and zip-2.3-26.3.src.rpm for
FC2 and FC3 respectively, and which do not differ beyond "recompiled" remark
in specs, do that in somewhat different way and also include other patches.

zip-2.3-26.2.src.rpm recomplies without any changes, and works AFAICT, on
RH7.3 so likely also on everything else in between. :-)  It is likely a good
idea to use the same sources in "legacy" and change only release identifiers.



------- Additional Comments From rob.myers.edu 2004-11-10 06:31:43 ----

yes that is where the patch was from.  i see that the patch they actually
included in zip-2.3-26 is simpler, if not as flexible.  i think both patches
solve CAN-2004-1010.  am i correct?  if so which should we use?  should we just
use zip-2.3-2?

as far as the other patches in zip-2.3-26 are concerned:

- the near 4gb patch seems to be a feature enhancement
- the umask patch could be security relevent

i agree that if zip-2.3-26 works on rh73 it will work on everything else.

let me know if i should just respin zip-2.3-26 for each of these architectures.




------- Additional Comments From rob.myers.edu 2004-11-10 07:33:17 ----

sorry, that should read:
should we just use zip-2.3-26?



------- Additional Comments From rob.myers.edu 2004-11-16 06:56:13 ----

since no one has QA'd the others, might as well make it easy on them.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated zip packages to QA for rh73, rh90, and fc1:
  
- - respun from the same FC2/FC3 src rpm; only diffence are the
  release numbers.  following same methodology/reasoning as
  the unarj fix (bug #2272).
- - CAN-2004-1010 should be fixed
 
changelogs:
 
rh73:
* Tue Nov 16 2004 Rob Myers <rob.myers.edu> 2.3-26.1.0.7.3.legacy
- - Rebuild for rh73 legacy
- - resolves CAN-2004-1010 (FL #2255)
 
rh9:
* Tue Nov 16 2004 Rob Myers <rob.myers.edu> 2.3-26.1.0.9.legacy
- - Rebuild for rh9 legacy
- - resolves CAN-2004-1010 (FL #2255)
 
fc1:
* Tue Nov 16 2004 Rob Myers <rob.myers.edu> 2.3-26.1.1.legacy
- - Rebuild for fc1 legacy
- - resolves CAN-2004-1010 (FL #2255)
  
sha1sums:
 
rh73:
fb88642076f818b4cfdb8cb76b85a64667aee774  zip-2.3-26.1.0.7.3.legacy.i386.rpm
bd918003599add06373db5340ffcafbdc7f4c462  zip-2.3-26.1.0.7.3.legacy.src.rpm
 
rh9:
c3f82df55d9a4b8a6fec6f2eaa20c593db24741f  zip-2.3-26.1.0.9.legacy.i386.rpm
737ba866666c1fcdc8d5d96e195f9cea1dfe405d  zip-2.3-26.1.0.9.legacy.src.rpm
e170f485059437f38a01e21f3b0f2b8b75be1e5d  zip-debuginfo-2.3-26.1.0.9.legacy.i386.rpm
 
fc1:
841029ffdbce50d8bccdae1a8e60f2bb225c48aa  zip-2.3-26.1.1.legacy.i386.rpm
e667a0e9013d645441534eab4f94426ca4fb9ca3  zip-2.3-26.1.1.legacy.src.rpm
c76a2eba7ec8b4b48491c94eccaf294c782c854e  zip-debuginfo-2.3-26.1.1.legacy.i386.rpm
  
files:
 
rh73:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.0.7.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.0.7.3.legacy.src.rpm
 
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.0.9.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.0.9.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-debuginfo-2.3-26.1.0.9.legacy.i386.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-2.3-26.1.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/zip-debuginfo-2.3-26.1.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBmjC8tU2XAt1OWnsRAizIAJ0S6NGj2Z9sHkcd2K3sFroMekzMNACfV6Uw
T27Os7l8wRSUj4vh0N+uWFo=
=troq
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2004-12-15 02:16:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
- - ran rpm-build-compare against the binaries and source RPMS for RHL73/9/FC1;
  the backport from FC3 was OK, only version number and changelog changed.
- - rebuild OK on RHL73/RHL9.
- - installs and works OK on RHL73.
 
+PUBLISH 73,9,FC1
 
fb88642076f818b4cfdb8cb76b85a64667aee774  zip-2.3-26.1.0.7.3.legacy.i386.rpm
bd918003599add06373db5340ffcafbdc7f4c462  zip-2.3-26.1.0.7.3.legacy.src.rpm
c3f82df55d9a4b8a6fec6f2eaa20c593db24741f  zip-2.3-26.1.0.9.legacy.i386.rpm
737ba866666c1fcdc8d5d96e195f9cea1dfe405d  zip-2.3-26.1.0.9.legacy.src.rpm
e667a0e9013d645441534eab4f94426ca4fb9ca3  zip-2.3-26.1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFBwCrjGHbTkzxSL7QRAsXNAJ9vJGAacHXi9VGGX024NzhfMNHUHACeNszs
SyldM/oAtkb/d32LuHwrAZk=
=n+Mh
-----END PGP SIGNATURE-----



------- Additional Comments From marcdeslauriers 2004-12-18 06:55:27 ----

see https://rhn.redhat.com/errata/RHSA-2004-634.html




------- Additional Comments From marcdeslauriers 2004-12-18 09:18:28 ----

Pushed to updates-testing



------- Additional Comments From jimpop 2004-12-18 09:50:33 ----

+VERIFIED 73

0ff8f3d2abcd7534fbfaebd1aa3f4590  zip-2.3-26.1.0.7.3.legacy.i386.rpm



------- Additional Comments From mark.scott 2004-12-19 13:57:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


SHA1sum:
9ef4498e118ca6b4a8f72b02fecde57924d51267  zip-2.3-26.1.1.legacy.i386.rpm

rpm --checksig -v reports all ok

Package installs fine on FC1. Test zip/unzip (using cd /usr/bin/; zip -r foo.zip
*) worked fine. Also tried exploit as given on web page below and it resulted in
zip complaining about a path being too long, i.e. zip is successfully fixed.

http://lists.netsys.com/pipermail/full-disclosure/2004-November/028379.html

VERIFIED FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBxhVHl2I0fYrP+68RAskjAJ4lbXvVp9u30y4D+961/VIMiYZvgACgzRG+
y7BHfIeSyaLGhB4Ye+aFzE4=
=63vJ
-----END PGP SIGNATURE-----




------- Additional Comments From mark.scott 2004-12-19 14:04:26 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bugzilla broke above sig due to line wrapping the big para.
I certify it was written by myself.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBxhbvl2I0fYrP+68RAvUmAKDEiiJp9HdKUh21WUh8S1lVo+Et8QCgmrrs
QSQdCh8EeuRjnQaCGTktbwQ=
=pwpk
-----END PGP SIGNATURE-----




------- Additional Comments From madhatter 2004-12-19 20:47:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
95966b2b9fdac8f17c74226c3c033b24dd6c9226 zip-2.3-26.1.0.9.legacy.i386.rpm
 
Package installs fine on RH9.
 
Test zip/unzip base functions
 cd mail/Archive/2004/11
 zip /tmp/zipfile .
 cd /tmp/foodir
 unzip -t /tmp/zipfile.zip
 unzip -x /tmp/zipfile.zip
Works fine.
 
+VERIFY RH9
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBxnVPePtvKV31zw4RAt1bAKDIIQb1oTeNEM1OEkhZWbMemuG/+wCfRo5s
wsB+0OlJc+D5NuXHCT2oXAI=
=tXf/
-----END PGP SIGNATURE-----




------- Additional Comments From jimpop 2004-12-20 11:20:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+VERIFIED 73

0ff8f3d2abcd7534fbfaebd1aa3f4590  zip-2.3-26.1.0.7.3.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxzjSuhh7yV/E9I4RAuR8AJ4wwqKeVxHuT4KT/QP4G6cS6a4nvgCfUfu2
NHNw1ZlXZjvLOfMgfoDBqzU=
=afQ8
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2005-01-06 13:00:18 ----

Although I note that his bug is posted in Dominic's issues.txt (revision 1.152)
as already verified, am doing this anyway.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For the sake of completeness, in addition to verifying the binary updates-
testing package, I did QA on Rob's zip FC1 src.rpm package in comment 5
(equivalent to the src.rpm package in updates-testing), just to make sure
it compiles, installs, and runs well on FC1.

e667a0e9013d645441534eab4f94426ca4fb9ca3  zip-2.3-26.1.1.legacy.src.rpm

  - sha1sum OK
  - PGP signature okay
  - source .tar.gz's = the ones in FC2's zip-2.3-26.2.src.rpm package at
    http://download.fedora.redhat.com/
  - all patch files are same as those in FC2's .src.rpm
  - spec file looks good; same as FC2's except for addition to changelog
  - Builds OK.
  - rpm-build-compare.sh script output looks good on .i386.rpm
  - Installs fine.
  - runs fine.

   +PUBLISH FC1

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Verification on binary package in updates-testing:

2dcdfc8e6ac63e2b74cf7c781c078773e0265eb8  zip-2.3-26.1.1.legacy.src.rpm

   - sha1sum OK
   - PGP signature okay
   - installs fine
   - rpm-build-compares.sh script looks good (compared with zip-2.3-18.i386.rpm
     in FC1 base)
   - runs fine.

   +VERIFY FC1		-David

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFB3cFkxou1V/j9XZwRAgWiAJ9Je1hpLP/A3HuPMNX/C0pUSIrPYQCgpdiw
86LT2ylPmTJYl/3DibcLOog=
=m50F
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst 2005-01-06 14:08:51 ----

Oops.  Ended up making a change to the .ASC file I submitted in comment 14
after already signing it.

Please substitute the following signature for the one in comment 14 to verify
it was signed by me.  Thanks.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment:  Signature for http://bugzilla.fedora.us/show_bug.cgi?id=2255#c14

iD8DBQFB3dILxou1V/j9XZwRAgZ/AKC2jbadf+3JHQ+rAENa76izGnyJYgCgsLgh
fn9QxrVEL48dTjY7kJA6Xv4=
=w5Jr
-----END PGP SIGNATURE-----



------- Additional Comments From dom 2005-01-08 16:17:15 ----

http://www-astro.physics.ox.ac.uk/~dom/legacy/advisories/2255-zip-draft.txt



------- Additional Comments From pekkas 2005-01-08 21:51:24 ----

The cross references and CVE names suffer from a cut-n-paste-o.  The correct
ones are:

Cross references:  https://bugzilla.fedora.us/show_bug.cgi?id=2255
CVE Names:         CAN-2004-1010

Otherwise looks good.



------- Additional Comments From marcdeslauriers 2005-02-01 18:23:50 ----

Packages were released as updates.



------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2255 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2255
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-legacy-bugzilla-2004.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Note You need to log in before you can comment on or make changes to this bug.