Bug 1174844 - (CVE-2014-8139) CVE-2014-8139 unzip: CRC32 verification heap-based buffer overread (oCERT-2014-011)
CVE-2014-8139 unzip: CRC32 verification heap-based buffer overread (oCERT-201...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
Frantisek Sumsal
impact=low,public=20141222,reported=2...
: Security
Depends On: 1191118 1196120 1196121 1196122 1196123
Blocks: 1174865
  Show dependency treegraph
 
Reported: 2014-12-16 10:24 EST by Tomas Hoger
Modified: 2015-11-25 05:27 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way unzip computed the CRC32 checksum of certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-18 17:11:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (1.69 KB, patch)
2014-12-16 10:26 EST, Tomas Hoger
no flags Details | Diff
patch for fedora (1.70 KB, patch)
2014-12-22 07:06 EST, pstodulk
no flags Details | Diff
Corrected upstream patch (1.73 KB, patch)
2015-02-09 14:46 EST, Tomas Hoger
no flags Details | Diff
last corrected upstream patch (3.32 KB, patch)
2015-02-10 10:51 EST, pstodulk
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 1360443 None None None Never

  None (edit)
Description Tomas Hoger 2014-12-16 10:24:35 EST
oCERT reports unzip flaw discovered by Michele Spagnuolo, Google Security Team.

"""
I would like to report a heap overflow condition in the CRC32 verification
of unzip, which may result in arbitrary code execution.

It can be triggered by passing a maliciously crafted zip files to unzip -t
(version 6.00, both InfoZip and Debian).

Patches:

The problem was an unrealistic/invalid value in a .ZIP Extra Field.  There was
a check (in extract.c:TestExtraField()) for an extra-block length that was too
large, but no check for a too-small value.  In this example, the length
(ebLen) was 1, and when "(ebLen-4)" was passed to crc32(), bad things
happened.

A revised extract.c (which adds a new check and error message) should be
available here:

      http://antinode.info/ftp/unzip60/extract.c
"""

Acknowledgement:

Red Hat would like to thank oCERT for reporting these issues. oCERT acknowledges Michele Spagnuolo of the Google Security Team as the original reporter.
Comment 2 Tomas Hoger 2014-12-16 10:26:48 EST
Created attachment 969598 [details]
Upstream patch

Upstream fix, as described in comment 0.
Comment 4 pstodulk 2014-12-22 07:06:21 EST
Created attachment 971984 [details]
patch for fedora

Original patch has wrong metadadata - '--- extract.c;-1'. Corrected file with and added paths suitable for our package on Fedora/RHEL.
Comment 5 Huzaifa S. Sidhpurwala 2014-12-22 10:50:23 EST
External Reference:

http://www.ocert.org/advisories/ocert-2014-011.html
Comment 6 Andrew Gallagher 2015-01-16 00:51:52 EST
Sorry if I'm mistaken, but I think this patch is causing "unzip -t" to now fail on executable JARs, which added the additional executable-jar extra field (http://stackoverflow.com/tags/executable-jar/info).

With this patch, extra fields that list a length of zero fail:

$ touch foo
$ jar cvf foo.jar foo
$ unzip -t foo.jar
Archive:  foo.jar
    testing: META-INF/               bad extra-field entry:
      EF block length (0 bytes) invalid (< 4)
    testing: META-INF/MANIFEST.MF     OK
    testing: foo                      OK
At least one error was detected in foo.jar.

Looking at the patch, it seems wrong since I *think* the spec allows this (but I wasn't sure of this).
Comment 9 Tomas Hoger 2015-02-09 14:45:11 EST
(In reply to Andrew Gallagher from comment #6)
> Sorry if I'm mistaken, but I think this patch is causing "unzip -t" to now
> fail on executable JARs, which added the additional executable-jar extra
> field (http://stackoverflow.com/tags/executable-jar/info).

Upstream report of the issue is:

http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=454

Upstream acknowledged that the patch was incorrect and changed it to only perform the underflow check for the affected extra field type.  I will attach updated patch version, based on the extract.c version linked from the upstream forum.
Comment 10 Tomas Hoger 2015-02-09 14:46:28 EST
Created attachment 989833 [details]
Corrected upstream patch
Comment 11 Tomas Hoger 2015-02-09 15:01:12 EST
The original report suggests code execution impact, but that does not seem to be correct.  As reported, there is and integer underflow triggered by extra field of type EF_PKVMS and with length value less than 4 (i.e. 0-3).  This leads to crc32() function called with length argument close to 2^32 (regardless of the system architecture), and leads to buffer over-read.  This over-read is long - it will trigger crash on 32bit systems, and is likely to trigger crash on 64bit systems as well.  As values read from the buffer are used to compute CRC value and are not copied to some other buffer, this does not corrupt memory, and hence does not have code execution impact.

Affected code is only reached when running unzip in the test mode (unzip -t), but not when extracting zip archives.
Comment 12 Tomas Hoger 2015-02-10 08:36:55 EST
Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 1191118]
Comment 13 pstodulk 2015-02-10 10:51:28 EST
Created attachment 990132 [details]
last corrected upstream patch

This is upstream patch which is part of last devel version. There are aesthetic (more readable) changes.
Comment 14 Fedora Update System 2015-02-15 22:25:42 EST
unzip-6.0-20.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2015-02-23 18:25:16 EST
unzip-6.0-17.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Martin Prpic 2015-02-25 05:25:05 EST
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates in Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/
Comment 21 Dave Sullivan 2015-03-17 09:15:31 EDT
Hi Tomas,

Can you be more specific on comment #11?

I'm assuming by crash you mean userspace unzip crash and not system crash.

I'm fairly certain that is what you are inferring but figured I'd ask anyway.

Thanks,

Dave
Comment 22 errata-xmlrpc 2015-03-18 14:59:10 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:0700 https://rhn.redhat.com/errata/RHSA-2015-0700.html

Note You need to log in before you can comment on or make changes to this bug.