Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to free() memory block pointed to by uninitialized pointer or memory block, which was already freed. This can cause unzip to crash (SEGV) during extraction of malicious zip file, possibly allowing code execution. Further details from Tavis: the inflate_dynamic() routine (~978, inflate.c) uses a macro NEEDBITS() that jumps execution to a cleanup routine on error, this routine attempts to free() two buffers allocated during the inflate process. At certain locations, the NEEDBITS() macro is used while the pointers are not pointing to valid buffers, they are either uninitialised or pointing inside a block that has already been free()d (ie, not pointing at the block, but at a location inside it). Acknowledgements: Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.
Created attachment 293893 [details] Patch against 5.5.2 proposed by Tavis
This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not allow a free on an invalid pointer.
Public now: http://taviso.decsystem.org/research.html https://issues.rpath.com/browse/RPL-2317 http://marc.info/?l=full-disclosure&m=120579856512587&w=4
Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client application DoS, which is not considered a security issue. I've filed tracking bug for rawhide, so that this issue is addressed in future Fedora and Red Hat Enterprise Linux versions.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0196.html