Bug 431438 (CVE-2008-0888) - CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer
Summary: CVE-2008-0888 unzip: free() called for uninitialized or already freed pointer
Alias: CVE-2008-0888
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 436530 436531 437927
TreeView+ depends on / blocked
Reported: 2008-02-04 15:16 UTC by Tomas Hoger
Modified: 2023-05-11 12:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-07-25 08:27:58 UTC

Attachments (Terms of Use)
Patch against 5.5.2 proposed by Tavis (1.36 KB, patch)
2008-02-04 15:20 UTC, Tomas Hoger
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0196 0 normal SHIPPED_LIVE Moderate: unzip security update 2008-03-18 19:34:00 UTC

Description Tomas Hoger 2008-02-04 15:16:58 UTC
Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to
free() memory block pointed to by uninitialized pointer or memory block, which
was already freed.  This can cause unzip to crash (SEGV) during extraction of
malicious zip file, possibly allowing code execution.

Further details from Tavis:

  the inflate_dynamic() routine (~978, inflate.c) uses a macro
  NEEDBITS() that jumps execution to a cleanup routine on error, this
  routine attempts to free() two buffers allocated during the inflate
  process. At certain locations, the NEEDBITS() macro is used while the
  pointers are not pointing to valid buffers, they are either
  uninitialised or pointing inside a block that has already been free()d
  (ie, not pointing at the block, but at a location inside it).


Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue.

Comment 2 Tomas Hoger 2008-02-04 15:20:50 UTC
Created attachment 293893 [details]
Patch against 5.5.2 proposed by Tavis

Comment 3 Josh Bressers 2008-03-07 13:35:22 UTC
This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not
allow a free on an invalid pointer.

Comment 8 Tomas Hoger 2008-03-18 07:55:10 UTC
Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client
application DoS, which is not considered a security issue.  I've filed tracking
bug for rawhide, so that this issue is addressed in future Fedora and Red Hat
Enterprise Linux versions.

Comment 9 Red Hat Product Security 2008-07-25 08:27:58 UTC
This issue was addressed in:

Red Hat Enterprise Linux:

Note You need to log in before you can comment on or make changes to this bug.