Bug 688735 - (CVE-2011-0421) CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()
CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on empty archive in zip_...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20110130,reported=20110317,sou...
: Security
Depends On: 688940 688941 688942
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-17 17:10 EDT by Vincent Danen
Modified: 2015-08-19 05:08 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-05 16:08:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-03-17 17:10:52 EDT
It was reported that ZipArchive() would segfault when opening an empty archive with the FL_UNCHANGED flag set [1].  This is corrected in upstream PHP 5.3.6 [2],[3].

[1] http://bugs.php.net/bug.php?id=53885
[2] http://www.php.net/ChangeLog-5.php#5.3.6
[3] http://svn.php.net/viewvc/?view=revision&revision=307867
Comment 1 Vincent Danen 2011-03-17 17:20:23 EDT
I don't believe this is something that would be exploitable under normal circumstances.

For one, the only reference I can find to this FL_UNCHANGED flag is in ZipArchve::getNameIndex():

http://php.net/manual/en/function.ziparchive-getnameindex.php

The reproducers noted in the bug use ZipArchive::locateName(), and FL_UNCHANGED is not a documented flag there:

http://php.net/manual/en/function.ziparchive-locatename.php

The reproducers are:

PoC1:
php -r '$nx=new
ZipArchive();$nx->open("/dev/null");$nx->locateName("a",ZIPARCHIVE::FL_UNCHANGED);'

PoC2:
php -r '$nx=new
ZipArchive();$nx->open("empty.zip");$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);'

I have a hard time believing something like this would be a problem in normal use, and it can certainly be mitigated by making sure that the file is not 0 bytes (a sensible thing to test for on uploaded files anyways).  For instance:

% echo 1 >empty.zip
% php -r '$nx=new  
ZipArchive();$nx->open("empty.zip");$nx->statName("a",ZIPARCHIVE::FL_UNCHANGED);'
PHP Warning:  ZipArchive::statName(): Invalid or unitialized Zip object in Command line code on line 2

This also would only affect Red Hat Enterprise Linux 6 and Fedora as earlier versions of PHP do not have this functionality.
Comment 2 Vincent Danen 2011-03-18 11:28:24 EDT
This also would affect libzip, mingw32-libzip, and openlierox (the latter contains an embedded libzip, although it is linked to the system libzip so probably does not require a patch).  Not too much requires libzip, so this is probably just as "major" there as it is for PHP (abrt-plugin-filetransfer uses libzip, but I suspect to create zip files for uploading, ebook-tools/ebook-tools-libs and fuse-zip also require it; I suspect the problematic package there would be fuse-zip).

I'm going to add trackers for libzip and mingw32-libzip.
Comment 3 Vincent Danen 2011-03-18 11:31:45 EDT
Created php tracking bugs for this issue

Affects: fedora-all [bug 688940]
Comment 4 Vincent Danen 2011-03-18 11:31:49 EDT
Created libzip tracking bugs for this issue

Affects: fedora-all [bug 688941]
Comment 5 Vincent Danen 2011-03-18 11:31:52 EDT
Created mingw32-libzip tracking bugs for this issue

Affects: fedora-all [bug 688942]
Comment 6 Vincent Danen 2011-03-18 11:36:06 EDT
An additional link with further information:

http://securityreason.com/achievement_securityalert/96
Comment 7 Jan Lieskovsky 2011-03-28 16:05:49 EDT
This issue did NOT affect the versions of the php package, as shipped
with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the version of the php53 package, as shipped with
Red Hat Enterprise Linux 5.

This issue affects the version of the php package, as shipped with
Red Hat Enterprise Linux 6.
Comment 9 Josh Bressers 2011-04-05 16:08:03 EDT
I'm closing this as WONTFIX. Nothing shipped in Red Hat Enterprise Linux uses this option. Google code search shows that almost no applications use it ever (the list if very small and obscure).

Given this can only crash an application, we will not be fixing this bug as a security flaw.
Comment 10 Vincent Danen 2012-08-16 13:56:24 EDT
This was fixed in libzip 0.10 (see http://www.nih.at/libzip/NEWS.html).  Fedora 17+ have this, Fedora 16 still ships 0.9.

Note You need to log in before you can comment on or make changes to this bug.