CVE-2017-5977: invalid memory read in zzip_mem_entry_extra_block (memdisk.c)

[ncopa]

I could not find any commit message that says that CVE-2017-5977 is fixed.

From: https://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c/

# unzzipcat-mem $FILE
==7950==ERROR: AddressSanitizer: SEGV on unknown address 0x603000014e32 (pc 0x7f414b4c8693 bp 0x7fff48f3ff70 sp 0x7fff48f3fe40 T0)
==7950==The signal is caused by a READ memory access.
    #0 0x7f414b4c8692 in zzip_mem_entry_extra_block /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:248:20
    #1 0x7f414b4c8692 in zzip_mem_entry_new /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:218
    #2 0x7f414b4c8692 in zzip_mem_disk_load /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #3 0x7f414b4c78b7 in zzip_mem_disk_open /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #4 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #5 0x7f414a60761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:248:20 in zzip_mem_entry_extra_block
==7950==ABORTING

Reproducer: https://github.com/asarubbo/poc/blob/master/00153-zziplib-invalidread-zzip_mem_entry_extra_block

If this is fixed, then please add a comment that tells which commit fixes it (and which version that includes the fix) and close this issue.

Thanks!

[gdraheim]

I have merged downstream from Opensuse where there was no patch for CVE-2017-5977.

However a similar problem has resulted in deprecating zzip_mem_entry_extra_block and using a new implementation that does check memory boundaries more thoroughly. That is included in commit 1e5b1ac48186e34e871945769623becfa3650956 and 9e8f867a976311a3e5fb0184c947e22ec35f2fcb

[gdraheim]

I have check with the referenced zip-file which is being extracted without a problem.

./unzzip -v ~/Downloads/00153-zziplib-invalidread-zzip_mem_entry_extra_block 3/3 stored test ./unzzip ~/Downloads/00153-zziplib-invalidread-zzip_mem_entry_extra_block