The ZZIPlib provides read access on ZIP-archives and unpacked data. It features an additional simplified API following the standard Posix API for file access
Other
62
stars
50
forks
source link
Improper input validation produces a crash in __zzip_parse_root_directory function of zzip/zip.c #27
It seems that the original fix(https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3) for CVE-2018-6869 and CVE-2018-6484 did not fully fix the vulnerabilities. Function __zzip_fetch_disk_trailer uses signed comparisons to check untrusted values which, in some configurations, are later used in __zzip_parse_root_directory as parameters to mmap.
The issue is present in version 0.13.68 and on master branch.
It seems that the original fix(https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3) for CVE-2018-6869 and CVE-2018-6484 did not fully fix the vulnerabilities. Function
__zzip_fetch_disk_trailer
uses signed comparisons to check untrusted values which, in some configurations, are later used in__zzip_parse_root_directory
as parameters to mmap.The issue is present in version 0.13.68 and on master branch.
PoC available on demand.