Bug 802564 - (CVE-2012-1162) CVE-2012-1162 libzip: heap overflow flaw when processing malformed zip file
CVE-2012-1162 libzip: heap overflow flaw when processing malformed zip file
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120320,repor...
: Security
Depends On: 805102 805104
Blocks: 802568
  Show dependency treegraph
 
Reported: 2012-03-12 17:09 EDT by Vincent Danen
Modified: 2015-04-07 04:20 EDT (History)
5 users (show)

See Also:
Fixed In Version: libzip 0.10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-16 10:54:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-03-12 17:09:03 EDT
A heap overflow vulnerability was reported in libzip <= 0.10 when processing certain corrupt zip files.  When libzip opens a zip file, it allocates memory based on the number of directory entries, however ue to an incorrect loop construct in lib/zip_open.c, if the number of directories in the file is set to 0, no memory would be allocated, which could cause libzip to write beyond the allocated memory.

This has already been corrected upstream [1].

[1] http://hg.nih.at/libzip/?cs=906bcce2bc13


Acknowledgements:

Red Hat would like to thank Timo Warns for reporting this issue.
Comment 1 Vincent Danen 2012-03-12 17:10:26 EDT
While this flaw has been fixed in the upstream repository, no release has been made that includes it, and the extent of the flaw was not discovered until now.
Comment 2 Vincent Danen 2012-03-20 10:48:58 EDT
This is now public:

http://nih.at/listarchive/libzip-discuss/msg00252.html
Comment 3 Vincent Danen 2012-03-20 10:53:42 EDT
Created php tracking bugs for this issue

Affects: fedora-all [bug 805104]
Comment 4 Vincent Danen 2012-03-20 10:53:46 EDT
Created libzip tracking bugs for this issue

Affects: fedora-all [bug 805102]
Comment 8 Stefan Cornelius 2012-03-28 00:26:09 EDT
The vulnerability was introduced by patch http://hg.nih.at/libzip/?cs=de747816d94c in version 0.10.

Statement:

Not vulnerable. This issue did not affect the versions of libzip and php as shipped with Red Hat Enterprise Linux 6. This issue did not affect the versions of php53 as shipped with Red Hat Enterprise Linux 5.
Comment 9 Fedora Update System 2012-04-11 22:48:11 EDT
libzip-0.10.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Stefan Cornelius 2012-04-16 10:54:07 EDT
Vulnerability was introduced in a version later than shipped with F15 and F16. F17 now ships version 0.10.1, which fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.