search

gdraheim / zziplib

The ZZIPlib provides read access on ZIP-archives and unpacked data. It features an additional simplified API following the standard Posix API for file access
Other
62 stars 50 forks source link

CVE-2017-5980: NULL pointer dereference in zzip_mem_entry_new (memdisk.c) #4

Closed ncopa closed 6 years ago

ncopa commented 7 years ago

I could not find any commit messsage that says that CVE-2017-5980 is fixed.

The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted ZIP file.

From https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c/

# unzzipcat-mem $FILE
==7955==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001a (pc 0x7fcfc78e3c50 bp 0x7ffdf55d4f70 sp 0x7ffdf55d4e40 T0)
==7955==The signal is caused by a READ memory access.
==7955==Hint: address points to the zero page.
    #0 0x7fcfc78e3c4f in zzip_mem_entry_new /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:182:21
    #1 0x7fcfc78e3c4f in zzip_mem_disk_load /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:137
    #2 0x7fcfc78e38b7 in zzip_mem_disk_open /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:89:5
    #3 0x50982d in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-mem.c:82:12
    #4 0x7fcfc6a2361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #5 0x419748 in _init (/usr/bin/unzzipcat-mem+0x419748)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/memdisk.c:182:21 in zzip_mem_entry_new
==7955==ABORTING

Reproducer: https://github.com/asarubbo/poc/blob/master/00154-zziplib-nullptr-zzip_mem_entry_new

If this is already fixed, then please tell which commit has the fix and which version and close this issue. Thanks!

gdraheim commented 7 years ago

I have only referenced those with a patch in downstream Opensuse.

zzip_mem_entry_new() has been modified in 98403bb3c0661e56a2185777fd244ba3a67bc220 however.

The reference zip-file produces an error code like

00154-zziplib-nullptr-zzip_mem_entry_new: Invalid or incomplete multibyte or wide character

gdraheim commented 7 years ago

Not all occurrence are fixed => leaving this open.

./unzzip-big ~/Downloads/00154-zziplib-nullptr-zzip_mem_entry_new Speicherzugriffsfehler (Speicherabzug geschrieben)

gdraheim commented 6 years ago

Note that the original bug is fixed and covered by test_59807

But the same data makes for a bus error in test_59806

gdraheim commented 6 years ago

fixed test_59806

gdraheim commented 6 years ago

after reorganizing testcases it is now test_59802

checking back with v0.13.67 there is no problem to be seen.

gdraheim commented 6 years ago

checking back with v0.13.62 the testcase does show a bus error.

As the testcase is fine in the last versions, this issue may be regarded as => fixed