[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
*** This bug is a duplicate of bug 1643750 *** https://bugs.launchpad.net/bugs/1643750 ** This bug has been marked a duplicate of bug 1643750 Buffer Overflow in ZipInfo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/387350 Title: Buffer overflow in unzip with hand-crafted ZIP file To manage notifications about this bug go to: https://bugs.launchpad.net/unzip/+bug/387350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/387350 Title: Buffer overflow in unzip with hand-crafted ZIP file To manage notifications about this bug go to: https://bugs.launchpad.net/unzip/+bug/387350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
This bug was fixed in the package unzip - 6.0-20ubuntu1.1 --- unzip (6.0-20ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: buffer overflow in unzip (LP: #387350) - debian/patches/17-cve-2014-9913-unzip-buffer-overflow: Accommodate printing an oversized compression method number in list.c. - CVE-2014-9913 * SECURITY UPDATE: buffer overflow in zipinfo (LP: #1643750) - debian/patches/18-cve-2016-9844-zipinfo-buffer-overflow: Accommodate an oversized compression method number in zipinfo.c. - CVE-2016-9844 * SECURITY UPDATE: buffer overflow in password protected ZIP archives - debian/patches/20-cve-2018-135-unzip-buffer-overflow.patch: Perform check before allocating memory in fileio.c. - CVE-2018-135 * SECURITY UPDATE: denial of service (resource consumption) - debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug in undefer_input() of fileio.c that misplaced the input state. - debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch: Detect and reject a zip bomb using overlapped entries. - debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch: Do not raise a zip bomb alert for a misplaced central directory. - CVE-2019-13232 -- Avital Ostromich Wed, 25 Nov 2020 20:01:25 -0500 ** Changed in: unzip (Ubuntu) Status: Triaged => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9913 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-9844 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2018-135 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13232 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/387350 Title: Buffer overflow in unzip with hand-crafted ZIP file To manage notifications about this bug go to: https://bugs.launchpad.net/unzip/+bug/387350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
** Changed in: unzip (Ubuntu) Importance: Undecided = Low -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
Yes, Gabe, you're right, I could reproduce that with Fedora13 alpha. -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
Hmm, looking at the Debian change log between 6.0-1 and 6.0-4, I don't see any changes that would fix this. I'm going to try to build it on Karmic and see if this bug really is gone. -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
I still get this using 6.0-4 from Debian. Perhaps you can't reproduce it because the buffer overflow just isn't detected? -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
Hi, I suppose when you report bug to upstream, Info-ZIP Discussion Forum is better than sf.net. See http://www.info-zip.org/board/board.pl and I cannot reproduce it in Debian unstable. henr...@hp115:/tmp$ unzip -lv hello.zip Archive: hello.zip Length MethodSize CmprDateTime CRC-32 Name -- --- -- - 14 Unk:62463 14 0% 2009-06-16 00:14 7b55a718 hello.txt --- ------ 14 14 0%1 file henr...@hp115:/tmp$ unzip -v UnZip 6.00 of 20 April 2009, by Debian. Original by Info-ZIP. Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ; see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites. Compiled with gcc 4.4.3 for Unix (Linux ELF) on Mar 7 2010. UnZip special compilation options: ACORN_FTYPE_NFS COPYRIGHT_CLEAN (PKZIP 0.9x unreducing method not supported) SET_DIR_ATTRIB SYMLINKS (symbolic links supported, if RTL and file system permit) TIMESTAMP UNIXBACKUP USE_EF_UT_TIME USE_UNSHRINK (PKZIP/Zip 1.x unshrinking method supported) USE_DEFLATE64 (PKZIP 4.x Deflate64(tm) supported) UNICODE_SUPPORT [wide-chars, char coding: UTF-8] (handle UTF-8 paths) LARGE_FILE_SUPPORT (large files over 2 GiB supported) ZIP64_SUPPORT (archives using Zip64 for large files supported) USE_BZIP2 (PKZIP 4.6+, using bzip2 lib version 1.0.5, 10-Dec-2007) VMS_TEXT_CONV WILD_STOP_AT_DIR [decryption, version 2.11 of 05 Jan 2007] UnZip and ZipInfo environment options: UNZIP: [none] UNZIPOPT: [none] ZIPINFO: [none] ZIPINFOOPT: [none] -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
What Debian package version of unzip are you using? I notice that on Karmic, it's 6.0-1, but unzip will still report its version as 6.0. -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
I'm using 6.0-4. $ dpkg -s unzip Package: unzip Status: install ok installed Priority: optional Section: utils Installed-Size: 396 Maintainer: Santiago Vila sanv...@debian.org Architecture: i386 Version: 6.0-4 (snip) -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
Also I'm using i386 and amd64 and unzip packages are same version. -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
I can confirm this on the unzip 6.0 used in karmic. The code in list.c has changed a little, but the same general problem remains. -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
Filed this upstream with the unzip people. ** Bug watch added: SourceForge.net Tracker #2861648 http://sourceforge.net/support/tracker.php?aid=2861648 ** Also affects: unzip via http://sourceforge.net/support/tracker.php?aid=2861648 Importance: Unknown Status: Unknown -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
Is this bug still present in latest version? If so, this should be filed upstream at http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=unzip. -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 387350] Re: Buffer overflow in unzip with hand-crafted ZIP file
Thanks for this investigation! It looks like the overflow is not very harmful, so I'm unmarking this a security bug. A single byte overflow in the bss region is happening, which does not appear to be near any control structures. ** Changed in: unzip (Ubuntu) Status: New = Triaged ** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability -- Buffer overflow in unzip with hand-crafted ZIP file https://bugs.launchpad.net/bugs/387350 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs