Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to
free() memory block pointed to by uninitialized pointer or memory block, which
was already freed. This can cause unzip to crash (SEGV) during extraction of
malicious zip file, possibly allowing code execution.
Further details from Tavis:
the inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).
Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.
Created attachment 293893 [details]
Patch against 5.5.2 proposed by Tavis
This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not
allow a free on an invalid pointer.
Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client
application DoS, which is not considered a security issue. I've filed tracking
bug for rawhide, so that this issue is addressed in future Fedora and Red Hat
Enterprise Linux versions.
This issue was addressed in:
Red Hat Enterprise Linux: