Bug 431438 - (CVE-2008-0888) CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer
CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 436530 436531 437927
  Show dependency treegraph
Reported: 2008-02-04 10:16 EST by Tomas Hoger
Modified: 2010-02-24 00:41 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-25 04:27:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch against 5.5.2 proposed by Tavis (1.36 KB, patch)
2008-02-04 10:20 EST, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-02-04 10:16:58 EST
Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to
free() memory block pointed to by uninitialized pointer or memory block, which
was already freed.  This can cause unzip to crash (SEGV) during extraction of
malicious zip file, possibly allowing code execution.

Further details from Tavis:

  the inflate_dynamic() routine (~978, inflate.c) uses a macro
  NEEDBITS() that jumps execution to a cleanup routine on error, this
  routine attempts to free() two buffers allocated during the inflate
  process. At certain locations, the NEEDBITS() macro is used while the
  pointers are not pointing to valid buffers, they are either
  uninitialised or pointing inside a block that has already been free()d
  (ie, not pointing at the block, but at a location inside it).


Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.
Comment 2 Tomas Hoger 2008-02-04 10:20:50 EST
Created attachment 293893 [details]
Patch against 5.5.2 proposed by Tavis
Comment 3 Josh Bressers 2008-03-07 08:35:22 EST
This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not
allow a free on an invalid pointer.
Comment 8 Tomas Hoger 2008-03-18 03:55:10 EDT
Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client
application DoS, which is not considered a security issue.  I've filed tracking
bug for rawhide, so that this issue is addressed in future Fedora and Red Hat
Enterprise Linux versions.
Comment 9 Red Hat Product Security 2008-07-25 04:27:58 EDT
This issue was addressed in:

Red Hat Enterprise Linux:

Note You need to log in before you can comment on or make changes to this bug.