1597486 – (CVE-2018-12913) CVE-2018-12913 miniz: Infinite loop in tinfl_decompress() allows for denial of service via crafted file

Bug 1597486 (CVE-2018-12913) - CVE-2018-12913 miniz: Infinite loop in tinfl_decompress() allows for denial of service via crafted file

Summary: CVE-2018-12913 miniz: Infinite loop in tinfl_decompress() allows for denial o...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-12913
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1597487 1597488 1597489
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-03 04:10 UTC by Sam Fowler
Modified:	2022-11-01 11:42 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:31:28 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-07-03 04:10:42 UTC

Miniz through version 2.0.7 has an infinite loop in the tinfl_decompress() function. An attacker could exploit this to cause a denial of service via crafted file.


Upstream Issue:

https://github.com/richgel999/miniz/issues/90

Comment 1 Sam Fowler 2018-07-03 04:11:08 UTC

Created miniz tracking bugs for this issue:

Affects: epel-all [bug 1597488]
Affects: fedora-all [bug 1597487]

Comment 3 Sam Fowler 2018-07-03 04:34:25 UTC

Reproduced with miniz-1.15-7.r4.fc27.x86_64:

sh-4.4# gdb -q example3 
Reading symbols from example3...done.
(gdb) r d dos-an-infinite-loop-miniz_tinfl-c-398.poc out
Starting program: /builddir/example3 d dos-an-infinite-loop-miniz_tinfl-c-398.poc out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
miniz.c version: 9.1.15
Mode: d, Level: 9
Input File: "dos-an-infinite-loop-miniz_tinfl-c-398.poc"
Output File: "out"
Input file size: 16384
^C
Program received signal SIGINT, Interrupt.
0x00007ffff6c1402f in tinfl_decompress (r=r@entry=0x62e000000400, pIn_buf_next=<optimized out>, pIn_buf_size=pIn_buf_size@entry=0x7fffffffe328, 
    pOut_buf_start=pOut_buf_start@entry=0x62e000002f0c "", pOut_buf_next=<optimized out>, pOut_buf_size=pOut_buf_size@entry=0x7fffffffe330, decomp_flags=<optimized out>) at miniz.c:1586
1586	miniz.c: No such file or directory.
Missing separate debuginfos, use: dnf debuginfo-install libasan-7.3.1-5.fc27.x86_64 libgcc-7.3.1-5.fc27.x86_64 libstdc++-7.3.1-5.fc27.x86_64
(gdb) bt
#0  0x00007ffff6c1402f in tinfl_decompress (r=r@entry=0x62e000000400, pIn_buf_next=<optimized out>, pIn_buf_size=pIn_buf_size@entry=0x7fffffffe328, 
    pOut_buf_start=pOut_buf_start@entry=0x62e000002f0c "", pOut_buf_next=<optimized out>, pOut_buf_size=pOut_buf_size@entry=0x7fffffffe330, decomp_flags=<optimized out>) at miniz.c:1586
#1  0x00007ffff6c15658 in mz_inflate (pStream=0x7fffffffe410, flush=<optimized out>) at miniz.c:1271
#2  0x0000000000401a62 in main (argc=4, argv=0x7fffffffe5b8) at example3.c:221

sh-4.4# ./example3 d dos-an-infinite-loop-miniz_tinfl-c-398.poc out &>/dev/null &
[1] 128
sh-4.4# ps aux | grep example3
root       128 68.5  0.0 21474916484 10188 ?   R    14:32   0:08 ./example3 d dos-an-infinite-loop-miniz_tinfl-c-398.poc out # Note CPU and virtual memory

Comment 5 Petr Pisar 2021-08-11 12:27:29 UTC

2.2.0 is still affected. Upstream cannot understand that a bogus archive is a vulnerability in the code.

Comment 6 Petr Pisar 2022-11-01 11:42:31 UTC

3.0.0 is still affected.

Note You need to log in before you can comment on or make changes to this bug.