Bug 1192603 (CVE-2015-1315) - CVE-2015-1315 unzip: charset_to_intern() buffer overflow
Summary: CVE-2015-1315 unzip: charset_to_intern() buffer overflow
Alias: CVE-2015-1315
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1192604
TreeView+ depends on / blocked
Reported: 2015-02-13 20:08 UTC by Tomas Hoger
Modified: 2023-05-12 07:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-02-13 20:31:50 UTC

Attachments (Terms of Use)
Vulnerable function (710 bytes, text/plain)
2015-02-13 20:12 UTC, Tomas Hoger
no flags Details
Ubuntu patch (788 bytes, patch)
2015-02-16 07:36 UTC, Tomas Hoger
no flags Details | Diff
Fixed version of 06-unzip60-alt-iconv-utf8 (14.02 KB, patch)
2015-02-16 07:38 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2015-02-13 20:08:35 UTC
William Robinet reports:

Info-ZIP "UnZip" is an extraction utility for archives compressed in ".zip"

Out-of-bounds write can be triggered with a malformed zip file resulting in a
crash or arbitrary code execution.

The problem lies in the "unix/unix.c:charset_to_intern()" function which is
part of the 06-unzip60-alt-iconv-utf8 patch (Ubuntu reference [0]).

It can be triggered during string conversion from CP866 to UTF-8 for which the
destination buffer is not large enough.

[0] Ubuntu iconv patch:
    file debian/patches/06-unzip60-alt-iconv-utf8


Red Hat would like to thank William Robinet for reporting this issue.

Comment 1 Tomas Hoger 2015-02-13 20:12:05 UTC
Created attachment 991545 [details]
Vulnerable function

Part of the 06-unzip60-alt-iconv-utf8 patch which contains the vulnerable function.

Comment 4 Tomas Hoger 2015-02-13 20:31:50 UTC
This issue does not affect any released upstream version.  Affected code does not exist in the latest upstream version - 6.0.  It is introduced as part of a patch that adds support for file names using non-latin and non-unicode encoding, which is used in unzip packages in certain Linux or BSD distributions.  The patch has been proposed for inclusion in Red Hat Enterprise Linux unzip packages - see bug 885540 comment 2 - but has not been applied there or in Fedora to date.  Therefore, Red Hat Enterprise Linux and Fedora unzip packages are not affected by this issue.

It should be noted that the code seems to have been accepted upstream, as it appears in the 6.1 development/beta code.


Not vulnerable. This issue did not affect the version of unzip as shipped in Red Hat Enterprise Linux 5, 6, and 7.

Comment 5 Tomas Hoger 2015-02-16 07:36:04 UTC
Created attachment 992062 [details]
Ubuntu patch

Comment 6 Tomas Hoger 2015-02-16 07:38:07 UTC
Created attachment 992063 [details]
Fixed version of 06-unzip60-alt-iconv-utf8

Full iconv patch with the above fix applied.  It obsoletes the patch in bug 885540 comment 2.

Note You need to log in before you can comment on or make changes to this bug.