William Robinet reports: """ Info-ZIP "UnZip" is an extraction utility for archives compressed in ".zip" format. Out-of-bounds write can be triggered with a malformed zip file resulting in a crash or arbitrary code execution. The problem lies in the "unix/unix.c:charset_to_intern()" function which is part of the 06-unzip60-alt-iconv-utf8 patch (Ubuntu reference [0]). It can be triggered during string conversion from CP866 to UTF-8 for which the destination buffer is not large enough. [0] Ubuntu iconv patch: http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-9ubuntu1.2.debian.tar.gz file debian/patches/06-unzip60-alt-iconv-utf8 """ Acknowledgment: Red Hat would like to thank William Robinet for reporting this issue.
Created attachment 991545 [details] Vulnerable function Part of the 06-unzip60-alt-iconv-utf8 patch which contains the vulnerable function.
This issue does not affect any released upstream version. Affected code does not exist in the latest upstream version - 6.0. It is introduced as part of a patch that adds support for file names using non-latin and non-unicode encoding, which is used in unzip packages in certain Linux or BSD distributions. The patch has been proposed for inclusion in Red Hat Enterprise Linux unzip packages - see bug 885540 comment 2 - but has not been applied there or in Fedora to date. Therefore, Red Hat Enterprise Linux and Fedora unzip packages are not affected by this issue. It should be noted that the code seems to have been accepted upstream, as it appears in the 6.1 development/beta code. Statement: Not vulnerable. This issue did not affect the version of unzip as shipped in Red Hat Enterprise Linux 5, 6, and 7.
Created attachment 992062 [details] Ubuntu patch
Created attachment 992063 [details] Fixed version of 06-unzip60-alt-iconv-utf8 Full iconv patch with the above fix applied. It obsoletes the patch in bug 885540 comment 2.
Public now via: http://seclists.org/oss-sec/2015/q1/579 http://www.conostix.com/pub/adv/CVE-2015-1315-Info-ZIP-unzip-Out-of-bounds_Write.txt