[Bug 2093024] Re: zip crashes when using options -T and -TT
** Description changed: + [ Impact ] + Running zip command with -T -TT arguments causes zip process to crash due to buffer overflow. See below: - $ zip a.zip /etc/hosts -T -TT "ls" - adding: etc/hosts (deflated 35%) + adding: etc/hosts (deflated 35%) *** buffer overflow detected ***: terminated - zip error: Interrupted (aborting) free(): double free detected in tcache 2 + + [ Test Plan ] + + $ zip a.zip /etc/hosts -T -TT "ls" + adding: etc/hosts (deflated 41%) + ziAEBMZH + test of a.zip OK + + This is what should be displayed with a working `zip` package. If you + still have the crash described just above, then the verification is + failed. + + Additionally, a dep8 test covering this test case has been added to the + package. + + [ Where problems could occur ] + + Considering that the patch is just a buffer size increase by 1, it should be pretty safe. However, as with every update, there is always a chance that something goes wrong, and `zip` is even more broken than before. The dep8 test added in this new version at least verifies that a basic usage of the tool is working. + Additionally, since this is a simple CLI tool, it's quite easy to verify that it's not completely broken. + + [ Other Info ] + + N/A + + + [Original description] + + Running zip command with -T -TT arguments causes zip process to crash + due to buffer overflow. See below: + + $ zip a.zip /etc/hosts -T -TT "ls" + adding: etc/hosts (deflated 35%) + *** buffer overflow detected ***: terminated + + zip error: Interrupted (aborting) + free(): double free detected in tcache 2 $ lsb_release -rd OS: Ubuntu 24.04.1 LTS $ apt-cache policy zip zip: - Installed: 3.0-13ubuntu0.1 - Candidate: 3.0-13ubuntu0.1 - Version table: - *** 3.0-13ubuntu0.1 500 - 500 http://pl.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages - 100 /var/lib/dpkg/status - 3.0-13build1 500 - 500 http://pl.archive.ubuntu.com/ubuntu noble/main amd64 Packages - + Installed: 3.0-13ubuntu0.1 + Candidate: 3.0-13ubuntu0.1 + Version table: + *** 3.0-13ubuntu0.1 500 + 500 http://pl.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages + 100 /var/lib/dpkg/status + 3.0-13build1 500 + 500 http://pl.archive.ubuntu.com/ubuntu noble/main amd64 Packages In addition to that I tested various docker images - here are the results: - ubuntu:24.10@sha256:102bc1874fdb136fc2d218473f03cf84135cb7496fefdb9c026c0f553cfe1b6d - zip 3.0-14ubuntu0.1 - issue occurs - ubuntu:24.04@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab - zip 3.0-13ubuntu0.1 - issue occurs - ubuntu:20.04@sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b - zip 3.0-11build1 - issue does not occur - debian:bookworm@sha256:b877a1a3fdf02469440f1768cf69c9771338a875b7add5e80c45b756c92ac20a - zip 3.0-13 - issue does not occur ** Summary changed: - zip crashes when using options -T and -TT + [SRU] zip crashes when using options -T and -TT -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2093024 Title: [SRU] zip crashes when using options -T and -TT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2093024] Re: zip crashes when using options -T and -TT
** Merge proposal linked: https://code.launchpad.net/~hyask/ubuntu/+source/zip/+git/zip/+merge/479674 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2093024 Title: zip crashes when using options -T and -TT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2093024] Re: zip crashes when using options -T and -TT
** Also affects: zip (Ubuntu Oracular) Importance: Undecided Status: New ** Also affects: zip (Ubuntu Plucky) Importance: Undecided Assignee: Skia (hyask) Status: Confirmed ** Also affects: zip (Ubuntu Noble) Importance: Undecided Status: New ** Changed in: zip (Ubuntu Oracular) Status: New => Confirmed ** Changed in: zip (Ubuntu Noble) Status: New => Confirmed ** Changed in: zip (Ubuntu Oracular) Assignee: (unassigned) => Skia (hyask) ** Changed in: zip (Ubuntu Noble) Assignee: (unassigned) => Skia (hyask) ** Changed in: zip (Ubuntu Plucky) Importance: Undecided => High ** Changed in: zip (Ubuntu Oracular) Importance: Undecided => High ** Changed in: zip (Ubuntu Noble) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2093024 Title: zip crashes when using options -T and -TT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2093024] Re: zip crashes when using options -T and -TT
If it doesn't reproduce in debian unstable, then I think it's same reason with https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2062535, as we build packages with _FORTIFY_SOURCE=3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2093024 Title: zip crashes when using options -T and -TT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2093024] Re: zip crashes when using options -T and -TT
** Changed in: zip (Ubuntu) Assignee: (unassigned) => Skia (hyask) ** Tags removed: rls-pp-incoming ** Tags added: foundations-todo -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2093024 Title: zip crashes when using options -T and -TT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2093024] Re: zip crashes when using options -T and -TT
I can also reproduce that on `plucky`. Interestingly, that doesn't reproduce in a `debian:unstable` container. ** Tags added: rls-pp-incoming -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2093024 Title: zip crashes when using options -T and -TT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2093024] Re: zip crashes when using options -T and -TT
Thanks for reporting. I can confirm the same error message with zip 3.0-14ubuntu0.1 on Ubuntu 24.10. ** Changed in: zip (Ubuntu) Status: New => Confirmed ** Tags added: noble oracular -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2093024 Title: zip crashes when using options -T and -TT To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2093024] Re: zip crashes when using options -T and -TT
Actually, I spent some time to figure out what is wrong. Looks like
program name in -TT command does not matter - crash is always present on
my host (Ubuntu 24.04.1 LTS, zip 3.0-13ubuntu0.1).
Program crashes inside check_zipfile function:
```
if (here) {
...
} else {
/* No {} so append temp name to end */
strcpy(cmd, unzip_path);
strcat(cmd, " ");
# ifdef UNIX
strcat(cmd, "'");/* accept space or $ in name */
strcat(cmd, zipname);
strcat(cmd, "'"); <- this function causes a program crash
# else
strcat(cmd, zipname);
# endif
}
```
at the moment of call to the "faulty" strcat gdb shows:
```
0x55575f25 leardi, [r12 + r15 + 2]
0x55575f2a movecx, 1
0x55575f2f movrsi, r14
0x55575f32 addrdi, rbx
0x55575f35 movedx, 2
► 0x55575f3a call __memcpy_chk@plt
dstpp: 0x555d896e ◂— 0
srcpp: 0x55578565 ◂— 0x32252d6434250027 /* "'" */
len: 2
dstlen: 1
```
`__memcpy_chk` will fail if dstlen <= len and that's expected .
What is unexpected, though, is that the 3rd (rdx register) and 4th (rcx
register) parameters are set to 2 and 1, causing this code path to
always fail. Not sure why such code was generated.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2093024
Title:
zip crashes when using options -T and -TT
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zip/+bug/2093024/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
