Bug 1401864 (CVE-2016-9844) - CVE-2016-9844 unzip: methbuf[] buffer overflow in zipinfo's zi_short()
Summary: CVE-2016-9844 unzip: methbuf[] buffer overflow in zipinfo's zi_short()
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-9844
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1404283
Blocks: 1401866
TreeView+ depends on / blocked
 
Reported: 2016-12-06 09:40 UTC by Andrej Nemec
Modified: 2019-09-29 14:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-13 14:25:22 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-12-06 09:40:12 UTC
A buffer overflow vulnerability was found in zipinfo (part of the unzip package) when the compression method in the central directory file header is greater then 999.

The original Ubuntu bug report:

https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750

Proposed fix:

http://seclists.org/oss-sec/2016/q4/600

References:

http://seclists.org/oss-sec/2016/q4/594

Comment 1 Tomas Hoger 2016-12-13 14:20:46 UTC
This bug is pretty much identical to the similar problem fixed in unzip's list_files() - see CVE-2014-9913 / bug 1401865.

This issue is caught by FORTIFY_SOURCE, limiting its impact to a crash of the zipinfo command.  Therefore, the issue is not planned to be corrected in the unzip packages in Red Hat Enterprise Linux 5, 6, and 7.

(In reply to Andrej Nemec from comment #0)
> Proposed fix:
> 
> http://seclists.org/oss-sec/2016/q4/600

Noting proposed fix here for posterity:

ALP $ gdiff zipinfo.c;39 zipinfo.c
2568c2568,2579
<         sprintf(&methbuf[1], "%03u", G.crec.compression_method);
---
>         /* 2016-12-05 SMS.
>          * https://launchpad.net/bugs/1643750
>          * Unexpectedly large compression methods overflow
>          * &methbuf[].  Use the old, three-digit decimal format
>          * for values which fit.  Otherwise, sacrifice the "u",
>          * and use four-digit hexadecimal.
>          */
>         if (G.crec.compression_method <= 999) {
>             sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
>         } else {
>             sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
>         }

I.e. similar fix the one that was used to fix the CVE-2014-9913 issue (see bug 1191136 comment 1).  zipinfo.c from unzip 6.0 with the patch applied can be found here:

http://antinode.info/ftp/info-zip/unzip60/zipinfo.c

Comment 2 Tomas Hoger 2016-12-13 14:23:21 UTC
Created unzip tracking bugs for this issue:

Affects: fedora-all [bug 1404283]

Comment 3 Tomas Hoger 2016-12-13 14:25:22 UTC
This issue is planned to be fixed in the future upstream version, that might be called either 6.1 or 7.0.  Removed "Fixed In Version" information for now.


Note You need to log in before you can comment on or make changes to this bug.