Bug#773929: unzip: uninitialised read in getZip64Data

Thu, 25 Dec 2014 12:27:25 -0800 

Package: unzip
Version: 6.0-13
Severity: normal
Tags: upstream

Dear Maintainer,

using the american fuzzy lop fuzzer, I managed to find a zip file that results
in an uninitialised read in getZip64Data. This is not the same issue as
CVE-2014-8141 and is still present in unzip 6.0-13.

The zip file in question and a valgrind log are attached.

Cheers,
Lorenz Hübschle-Schneider



-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.18.1-cust+ (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages unzip depends on:
ii  libbz2-1.0  1.0.6-7+b2
ii  libc6       2.19-13

unzip recommends no packages.

Versions of packages unzip suggests:
ii  zip  3.0-8




*** /tmp/unzip-valgrind.txt
==32565== Memcheck, a memory error detector
==32565== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==32565== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==32565== Command: ./unzip -d /tmp/dump -o -P
c/id:000000,sig:00,sync:f20,src:000078
==32565==
Archive:  c/id:000000,sig:00,sync:f20,src:000078
error [c/id:000000,sig:00,sync:f20,src:000078]:  missing 19 bytes in zipfile
  (attempting to process anyway)
error [c/id:000000,sig:00,sync:f20,src:000078]:  reported length of central
directory is
  19 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
==32565== Conditional jump or move depends on uninitialised value(s)
==32565==    at 0x40FFB6: getZip64Data (process.c:1927)
==32565==    by 0x40A48F: do_string (fileio.c:2300)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Conditional jump or move depends on uninitialised value(s)
==32565==    at 0x40FFC1: getZip64Data (process.c:1935)
==32565==    by 0x40A48F: do_string (fileio.c:2300)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Conditional jump or move depends on uninitialised value(s)
==32565==    at 0x4100A5: getZip64Data (process.c:1922)
==32565==    by 0x40A48F: do_string (fileio.c:2300)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Use of uninitialised value of size 8
==32565==    at 0x40A544: makeword (fileio.c:2426)
==32565==    by 0x40FF9F: getZip64Data (process.c:1924)
==32565==    by 0x40A48F: do_string (fileio.c:2300)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Use of uninitialised value of size 8
==32565==    at 0x40A544: makeword (fileio.c:2426)
==32565==    by 0x40FFAB: getZip64Data (process.c:1925)
==32565==    by 0x40A48F: do_string (fileio.c:2300)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Conditional jump or move depends on uninitialised value(s)
==32565==    at 0x415944: mapattr (unix.c:404)
==32565==    by 0x405994: store_info (extract.c:982)
==32565==    by 0x408415: extract_or_test_files (extract.c:536)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Conditional jump or move depends on uninitialised value(s)
==32565==    at 0x41594B: mapattr (unix.c:407)
==32565==    by 0x405994: store_info (extract.c:982)
==32565==    by 0x408415: extract_or_test_files (extract.c:536)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Conditional jump or move depends on uninitialised value(s)
==32565==    at 0x415957: mapattr (unix.c:407)
==32565==    by 0x405994: store_info (extract.c:982)
==32565==    by 0x408415: extract_or_test_files (extract.c:536)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Conditional jump or move depends on uninitialised value(s)
==32565==    at 0x415992: mapattr (unix.c:401)
==32565==    by 0x405994: store_info (extract.c:982)
==32565==    by 0x408415: extract_or_test_files (extract.c:536)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Use of uninitialised value of size 8
==32565==    at 0x40A544: makeword (fileio.c:2426)
==32565==    by 0x41592D: mapattr (unix.c:402)
==32565==    by 0x405994: store_info (extract.c:982)
==32565==    by 0x408415: extract_or_test_files (extract.c:536)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
==32565== Use of uninitialised value of size 8
==32565==    at 0x40A544: makeword (fileio.c:2426)
==32565==    by 0x41593A: mapattr (unix.c:403)
==32565==    by 0x405994: store_info (extract.c:982)
==32565==    by 0x408415: extract_or_test_files (extract.c:536)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==  Uninitialised value was created by a heap allocation
==32565==    at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==32565==    by 0x40A3FA: do_string (fileio.c:2289)
==32565==    by 0x40832F: extract_or_test_files (extract.c:503)
==32565==    by 0x40F119: do_seekable (process.c:987)
==32565==    by 0x40F7BD: process_zipfiles (process.c:401)
==32565==    by 0x403433: unzip (unzip.c:1253)
==32565==    by 0x403487: main (unzip.c:720)
==32565==
file #1:  bad zipfile offset (EOF):  256
==32565==
==32565== HEAP SUMMARY:
==32565==     in use at exit: 0 bytes in 0 blocks
==32565==   total heap usage: 31 allocs, 31 frees, 82,661 bytes allocated
==32565==
==32565== All heap blocks were freed -- no leaks are possible
==32565==

Attachment: id:000000,sig:00,sync:f20,src:000078
Description: Zip archive

Reply via email to