Improper input validation produces a crash in __zzip_parse_root_directory function of zzip/zip.c

gdraheim / zziplib

The ZZIPlib provides read access on ZIP-archives and unpacked data. It features an additional simplified API following the standard Posix API for file access

Other

62 stars 50 forks source link

Improper input validation produces a crash in __zzip_parse_root_directory function of zzip/zip.c #27

Closed ret2libc closed 6 years ago

ret2libc commented 6 years ago

It seems that the original fix(https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3) for CVE-2018-6869 and CVE-2018-6484 did not fully fix the vulnerabilities. Function __zzip_fetch_disk_trailer uses signed comparisons to check untrusted values which, in some configurations, are later used in __zzip_parse_root_directory as parameters to mmap.

The issue is present in version 0.13.68 and on master branch.

PoC available on demand.

gdraheim commented 6 years ago

fixed - checking for negative values now.

gdraheim commented 6 years ago

done.