Bug 688735 (CVE-2011-0421) - CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()
Summary: CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_...
Alias: CVE-2011-0421
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 688940 688941 688942
TreeView+ depends on / blocked
Reported: 2011-03-17 21:10 UTC by Vincent Danen
Modified: 2019-09-29 12:43 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-04-05 20:08:03 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-03-17 21:10:52 UTC
It was reported that ZipArchive() would segfault when opening an empty archive with the FL_UNCHANGED flag set [1].  This is corrected in upstream PHP 5.3.6 [2],[3].

[1] http://bugs.php.net/bug.php?id=53885
[2] http://www.php.net/ChangeLog-5.php#5.3.6
[3] http://svn.php.net/viewvc/?view=revision&revision=307867

Comment 1 Vincent Danen 2011-03-17 21:20:23 UTC
I don't believe this is something that would be exploitable under normal circumstances.

For one, the only reference I can find to this FL_UNCHANGED flag is in ZipArchve::getNameIndex():


The reproducers noted in the bug use ZipArchive::locateName(), and FL_UNCHANGED is not a documented flag there:


The reproducers are:

php -r '$nx=new

php -r '$nx=new

I have a hard time believing something like this would be a problem in normal use, and it can certainly be mitigated by making sure that the file is not 0 bytes (a sensible thing to test for on uploaded files anyways).  For instance:

% echo 1 >empty.zip
% php -r '$nx=new  
PHP Warning:  ZipArchive::statName(): Invalid or unitialized Zip object in Command line code on line 2

This also would only affect Red Hat Enterprise Linux 6 and Fedora as earlier versions of PHP do not have this functionality.

Comment 2 Vincent Danen 2011-03-18 15:28:24 UTC
This also would affect libzip, mingw32-libzip, and openlierox (the latter contains an embedded libzip, although it is linked to the system libzip so probably does not require a patch).  Not too much requires libzip, so this is probably just as "major" there as it is for PHP (abrt-plugin-filetransfer uses libzip, but I suspect to create zip files for uploading, ebook-tools/ebook-tools-libs and fuse-zip also require it; I suspect the problematic package there would be fuse-zip).

I'm going to add trackers for libzip and mingw32-libzip.

Comment 3 Vincent Danen 2011-03-18 15:31:45 UTC
Created php tracking bugs for this issue

Affects: fedora-all [bug 688940]

Comment 4 Vincent Danen 2011-03-18 15:31:49 UTC
Created libzip tracking bugs for this issue

Affects: fedora-all [bug 688941]

Comment 5 Vincent Danen 2011-03-18 15:31:52 UTC
Created mingw32-libzip tracking bugs for this issue

Affects: fedora-all [bug 688942]

Comment 6 Vincent Danen 2011-03-18 15:36:06 UTC
An additional link with further information:


Comment 7 Jan Lieskovsky 2011-03-28 20:05:49 UTC
This issue did NOT affect the versions of the php package, as shipped
with Red Hat Enterprise Linux 4 and 5.


This issue affects the version of the php53 package, as shipped with
Red Hat Enterprise Linux 5.

This issue affects the version of the php package, as shipped with
Red Hat Enterprise Linux 6.

Comment 9 Josh Bressers 2011-04-05 20:08:03 UTC
I'm closing this as WONTFIX. Nothing shipped in Red Hat Enterprise Linux uses this option. Google code search shows that almost no applications use it ever (the list if very small and obscure).

Given this can only crash an application, we will not be fixing this bug as a security flaw.

Comment 10 Vincent Danen 2012-08-16 17:56:24 UTC
This was fixed in libzip 0.10 (see http://www.nih.at/libzip/NEWS.html).  Fedora 17+ have this, Fedora 16 still ships 0.9.

Note You need to log in before you can comment on or make changes to this bug.