bug#30415: Unzip CVE-2018-1000031 and others
Hi Leo, > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE > to reduce the impact of the bug. The attached patch does that. […] > + ;; Mitigate CVE-2018-135, an exploitable buffer > overflow. > + ;; This environment variable is recommended in > 'unix/Makefile' > + ;; for passing flags to the C compiler. > + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1") > + #t This looks good to me. Thank you! -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net
bug#30415: Unzip CVE-2018-1000031 and others
On Tue, Feb 13, 2018 at 09:01:44AM +0100, Ricardo Wurmus wrote: > > Hi Leo, > > > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE > > to reduce the impact of the bug. The attached patch does that. > […] > > + ;; Mitigate CVE-2018-135, an exploitable buffer > > overflow. > > + ;; This environment variable is recommended in > > 'unix/Makefile' > > + ;; for passing flags to the C compiler. > > + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1") > > + #t > > This looks good to me. Thank you! Thanks, pushed as 77737e035491112a1e9c7d9a0e6f1e0397a4f930 signature.asc Description: PGP signature
bug#30415: Unzip CVE-2018-1000031 and others
On Sun, Feb 11, 2018 at 10:35:48AM -0500, Leo Famulari wrote: > And CVE-2018-135 may be mitigated by the compiler. I'll investigate > more. The researcher's advisory recommends building UnZip with FORTIFY_SOURCE to reduce the impact of the bug. The attached patch does that. AFAICT, the proof-of-concept zip file is not published, and there is no upstream patch. From 4e9eaa43e19ff8fe02c02589d0ea42b88ce67c87 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 12 Feb 2018 13:49:49 -0500 Subject: [PATCH] gnu: unzip: Mitigate CVE-2018-135. * gnu/packages/compression.scm (unzip)[replacement]: New field. (unzip/fixed): New variable. --- gnu/packages/compression.scm | 17 - 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm index 3a0e27945..9983ee129 100644 --- a/gnu/packages/compression.scm +++ b/gnu/packages/compression.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer ;;; Copyright © 2015, 2016 Eric Bavier ;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus -;;; Copyright © 2015, 2017 Leo Famulari +;;; Copyright © 2015, 2017, 2018 Leo Famulari ;;; Copyright © 2015 Jeff Mickey ;;; Copyright © 2015, 2016, 2017 Efraim Flashner ;;; Copyright © 2016 Ben Woodcroft @@ -1719,6 +1719,7 @@ Compression ratios of 2:1 to 3:1 are common for text files.") (define-public unzip (package (inherit zip) (name "unzip") +(replacement unzip/fixed) (version "6.0") (source (origin @@ -1769,6 +1770,20 @@ recreates the stored directory structure by default.") (license (license:non-copyleft "file://LICENSE" "See LICENSE in the distribution." +(define unzip/fixed + (package/inherit unzip +(arguments + (substitute-keyword-arguments (package-arguments unzip) +((#:phases phases) + `(modify-phases ,phases + (add-after 'unpack 'fortify + (lambda _ + ;; Mitigate CVE-2018-135, an exploitable buffer overflow. + ;; This environment variable is recommended in 'unix/Makefile' + ;; for passing flags to the C compiler. + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1") + #t + (define-public zziplib (package (name "zziplib") -- 2.16.1 signature.asc Description: PGP signature
bug#30415: Unzip CVE-2018-1000031 and others
On Sat, Feb 10, 2018 at 01:57:28PM -0500, Leo Famulari wrote: > We need to fix CVE-2018-131, CVE-2018-132, CVE-2018-133, > CVE-2018-134, CVE-2018-135 in UnZip: > > http://seclists.org/oss-sec/2018/q1/134 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-131 and etc Okay, the advisory says that only CVE-2018-135 affects our UnZip 6.0 package; the other bugs were apparently introduced after that. And CVE-2018-135 may be mitigated by the compiler. I'll investigate more. signature.asc Description: PGP signature
bug#30415: Unzip CVE-2018-1000031 and others
The 3rd-party security advisory suggests that the bugs are fixed in UnZip 6.1c23: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html See unzip610c23.zip here: http://antinode.info/ftp/info-zip/ Unfortunately, this is a zip file, unlike the 9 year old tarball on the UnZip SourceForge page. Any advice? I suppose we could keep the old UnZip package just to unpack the new one. signature.asc Description: PGP signature
bug#30415: Unzip CVE-2018-1000031 and others
We need to fix CVE-2018-131, CVE-2018-132, CVE-2018-133, CVE-2018-134, CVE-2018-135 in UnZip: http://seclists.org/oss-sec/2018/q1/134 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-131 and etc signature.asc Description: PGP signature