Mageia Bugzilla – Attachment 10751 Details for
Bug 22570
zziplib new security issue CVE-2018-6381, CVE-2018-6484, CVE-2018-654[0-2], CVE-2018-6869, CVE-2018-772[5-7], CVE-2018-16548, CVE-2018-17828
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Shows results of POC tests for zziplib
report.22570 (text/plain), 7.42 KB, created by
Len Lawrence
on 2019-02-14 16:57:08 CET
(
hide
)
Description:
Shows results of POC tests for zziplib
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2019-02-14 16:57:08 CET
Size:
7.42 KB
patch
obsolete
>*Before updates* > >CVE-2018-6381 >https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip >$ unzip-mem zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip >Segmentation fault (core dumped) >-------------------------------- >CVE-2018-6484 >https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip >Nothing happened with unzip-mem so I tried zzdir. >$ zzdir zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip >did not open zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip: zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip: Illegal seek > >That is good in the sense that it shows that the memory alignment has been detected. >-------------------------------- >CVE-2018-6540 >https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst.zip >$ unzip-mem zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst.zip >Segmentation fault (core dumped) >-------------------------------- >CVE-2018-6541 >https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip >$ unzzip zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip >Bus error (core dumped) >-------------------------------- >CVE-2018-6542 >https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip >$ unzip-mem -p zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip > > >$ >Without the -p you see: >No such file or directory >No such file or directory >-------------------------------- >CVE-2018-6542 >https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip >$ zzdir zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip >Bus error (core dumped) >-------------------------------- >CVE-2018-7725 >https://github.com/fantasy7082/image_test/blob/master/003-unknow-def-zip >$ unzzip-mem 003-unknow-def-zip >bash: unzzip-mem: command not found >$ unzip-mem 003-unknow-def-zip >00000000000000000000000000000000000000000: Success >0000000000000000000000000: Success >0000000000000000000000000000000000000000000000000000: Success >We should ignore this result in view of the missing command. It may turn up after the update. >$ unzip -p 003-unknow-def-zip > dump >just produces a heap of binary data. >-------------------------------- >CVE-2018-7726 >https://github.com/fantasy7082/image_test/blob/master/c005-bus-zzip_parse_root_directory >$ zzdir c005-bus-zzip_parse_root_directory >did not open c005-bus-zzip_parse_root_directory: c005-bus-zzip_parse_root_directory: Illegal seek >-------------------------------- >CVE-2018-7727 >https://github.com/fantasy7082/image_test/blob/master/002-mem-leaks-zip >$ unzip-mem 002-mem-leaks-zip >000000000: Success >00000000000000000000: Success >0000000000000000000000000000: Success >[...] >0000000000: Success >000000000000000000: Success > >This is meant to be tested with unzzip-mem which we do not have, so ignore. >$ unzip-mem -p 002-mem-leaks-zip > zip.dump >generates a stream of binary data. >-------------------------------- >CVE-2018-16548 >https://github.com/gdraheim/zziplib/issues/58 >#include <stdio.h> >#include <stdlib.h> >#include <zzip/zzip.h> >static const char usage[] = >{ > "zzip\n" >}; > >int main(int argc, char const *argv[]) >{ > if (argc <= 1) > { > printf(usage); > exit(0); > } > > ZZIP_DIR* dir = zzip_dir_open(argv[1],0); > > if (dir) > { > ZZIP_DIRENT dirent; > if (zzip_dir_read(dir,&dirent)) > { > printf("%s %i/%i\n", dirent.d_name, dirent.d_csize, dirent.st_size); > } > zzip_dir_close(dir); > } > return 0; >} >https://github.com/Kingkingyoung/fuzz_test/blob/poc/zzip-memory-leak >$ gcc -o zzip -lzzip zzip.c >$ valgrind ./zzip zzip-memory-leak >reports a memory leak of 76 bytes, which agrees with the upstream report. >-------------------------------- >CVE-2018-17828 >https://github.com/gdraheim/zziplib/issues/62 >The POC file is meant to be run with unzzip-mem but... Maybe after updating. >$ unzip-mem -p evil.zip >I am evil. > >*After updates* > >CVE-2018-6381 >$ unzip-mem zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip >aUT: No such file or directory >Note - no segfault. >-------------------------------- >CVE-2018-6484 >$ zzdir zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip >did not open zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip: zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip: Invalid or incomplete multibyte or wide character > >Similar to the previous result with a change from "Illegal seek" to "Invalid ...". >-------------------------------- >CVE-2018-6540 >$ unzip-mem zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst.zip >aUT: No such file or directory >An improvement - no segfault. >-------------------------------- >CVE-2018-6541 >$ unzzip zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip >zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip: Zipfile corrupted >No bus error or core dump. >-------------------------------- >CVE-2018-6542 >$ unzip-mem zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip >DEBUG: zzip_mem_disk_open : unable to load disk zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip >Looks better. >-------------------------------- >CVE-2018-6542 >https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip >$ zzdir zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip >did not open zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip: zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip: Invalid or incomplete multibyte or wide character >No bus error or core dump. >-------------------------------- >CVE-2018-7725 >$ unzzip-mem 003-unknow-def-zip >DEBUG: zzip_mem_entry_fopen : compressed size 808464572 >DEBUG: zzip_mem_entry_fopen : compressed size 808464450 >DEBUG: zzip_mem_entry_fopen : compressed size 808467425 >Looks more controlled. >-------------------------------- >CVE-2018-7726 >$ zzdir c005-bus-zzip_parse_root_directory >did not open c005-bus-zzip_parse_root_directory: c005-bus-zzip_parse_root_directory: Invalid or incomplete multibyte or wide character >Better probably. >-------------------------------- >CVE-2018-7727 >$ unzzip-mem 002-mem-leaks-zip >DEBUG: zzip_mem_entry_fopen : compressed size 808464432 >DEBUG: zzip_mem_entry_fopen : compressed size 808464432 >[...] >DEBUG: zzip_mem_entry_fopen : compressed size 808464432 >Taking this as a good result. >-------------------------------- >CVE-2018-16548 >$ gcc -o zzip -lzzip zzip.c >$ valgrind ./zzip zzip-memory-leak >[...] >==12802== HEAP SUMMARY: >==12802== in use at exit: 0 bytes in 0 blocks >==12802== total heap usage: 2 allocs, 2 frees, 196 bytes allocated >==12802== >==12802== All heap blocks were freed -- no leaks are possible >Good result. >-------------------------------- >CVE-2018-17828 >$ unzzip-mem evil.zip >Removing "../" path component(s) in ../../test/evil.conf >DEBUG: zzip_mem_entry_fopen : compressed size 13 >Good result > > > > > >
*Before updates* CVE-2018-6381 https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip $ unzip-mem zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip Segmentation fault (core dumped) -------------------------------- CVE-2018-6484 https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip Nothing happened with unzip-mem so I tried zzdir. $ zzdir zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip did not open zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip: zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip: Illegal seek That is good in the sense that it shows that the memory alignment has been detected. -------------------------------- CVE-2018-6540 https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst.zip $ unzip-mem zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst.zip Segmentation fault (core dumped) -------------------------------- CVE-2018-6541 https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip $ unzzip zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip Bus error (core dumped) -------------------------------- CVE-2018-6542 https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip $ unzip-mem -p zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip $ Without the -p you see: No such file or directory No such file or directory -------------------------------- CVE-2018-6542 https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip $ zzdir zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip Bus error (core dumped) -------------------------------- CVE-2018-7725 https://github.com/fantasy7082/image_test/blob/master/003-unknow-def-zip $ unzzip-mem 003-unknow-def-zip bash: unzzip-mem: command not found $ unzip-mem 003-unknow-def-zip 00000000000000000000000000000000000000000: Success 0000000000000000000000000: Success 0000000000000000000000000000000000000000000000000000: Success We should ignore this result in view of the missing command. It may turn up after the update. $ unzip -p 003-unknow-def-zip > dump just produces a heap of binary data. -------------------------------- CVE-2018-7726 https://github.com/fantasy7082/image_test/blob/master/c005-bus-zzip_parse_root_directory $ zzdir c005-bus-zzip_parse_root_directory did not open c005-bus-zzip_parse_root_directory: c005-bus-zzip_parse_root_directory: Illegal seek -------------------------------- CVE-2018-7727 https://github.com/fantasy7082/image_test/blob/master/002-mem-leaks-zip $ unzip-mem 002-mem-leaks-zip 000000000: Success 00000000000000000000: Success 0000000000000000000000000000: Success [...] 0000000000: Success 000000000000000000: Success This is meant to be tested with unzzip-mem which we do not have, so ignore. $ unzip-mem -p 002-mem-leaks-zip > zip.dump generates a stream of binary data. -------------------------------- CVE-2018-16548 https://github.com/gdraheim/zziplib/issues/58 #include <stdio.h> #include <stdlib.h> #include <zzip/zzip.h> static const char usage[] = { "zzip\n" }; int main(int argc, char const *argv[]) { if (argc <= 1) { printf(usage); exit(0); } ZZIP_DIR* dir = zzip_dir_open(argv[1],0); if (dir) { ZZIP_DIRENT dirent; if (zzip_dir_read(dir,&dirent)) { printf("%s %i/%i\n", dirent.d_name, dirent.d_csize, dirent.st_size); } zzip_dir_close(dir); } return 0; } https://github.com/Kingkingyoung/fuzz_test/blob/poc/zzip-memory-leak $ gcc -o zzip -lzzip zzip.c $ valgrind ./zzip zzip-memory-leak reports a memory leak of 76 bytes, which agrees with the upstream report. -------------------------------- CVE-2018-17828 https://github.com/gdraheim/zziplib/issues/62 The POC file is meant to be run with unzzip-mem but... Maybe after updating. $ unzip-mem -p evil.zip I am evil. *After updates* CVE-2018-6381 $ unzip-mem zziplib_0-13-67_unzip-mem_buffer-access-with-incorrect-length-value_zzip_disk_fread.zip aUT: No such file or directory Note - no segfault. -------------------------------- CVE-2018-6484 $ zzdir zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip did not open zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip: zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip: Invalid or incomplete multibyte or wide character Similar to the previous result with a change from "Illegal seek" to "Invalid ...". -------------------------------- CVE-2018-6540 $ unzip-mem zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst.zip aUT: No such file or directory An improvement - no segfault. -------------------------------- CVE-2018-6541 $ unzzip zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip: Zipfile corrupted No bus error or core dump. -------------------------------- CVE-2018-6542 $ unzip-mem zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip DEBUG: zzip_mem_disk_open : unable to load disk zziplib_0-13-67_unzip-mem_memory-alignment-errors_zzip_disk_findfirst_64.zip Looks better. -------------------------------- CVE-2018-6542 https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip $ zzdir zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip did not open zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip: zziplib_0-13-68_zzdir_uncontrolled-memory-allocation__zzip_parse_root_directory.zip: Invalid or incomplete multibyte or wide character No bus error or core dump. -------------------------------- CVE-2018-7725 $ unzzip-mem 003-unknow-def-zip DEBUG: zzip_mem_entry_fopen : compressed size 808464572 DEBUG: zzip_mem_entry_fopen : compressed size 808464450 DEBUG: zzip_mem_entry_fopen : compressed size 808467425 Looks more controlled. -------------------------------- CVE-2018-7726 $ zzdir c005-bus-zzip_parse_root_directory did not open c005-bus-zzip_parse_root_directory: c005-bus-zzip_parse_root_directory: Invalid or incomplete multibyte or wide character Better probably. -------------------------------- CVE-2018-7727 $ unzzip-mem 002-mem-leaks-zip DEBUG: zzip_mem_entry_fopen : compressed size 808464432 DEBUG: zzip_mem_entry_fopen : compressed size 808464432 [...] DEBUG: zzip_mem_entry_fopen : compressed size 808464432 Taking this as a good result. -------------------------------- CVE-2018-16548 $ gcc -o zzip -lzzip zzip.c $ valgrind ./zzip zzip-memory-leak [...] ==12802== HEAP SUMMARY: ==12802== in use at exit: 0 bytes in 0 blocks ==12802== total heap usage: 2 allocs, 2 frees, 196 bytes allocated ==12802== ==12802== All heap blocks were freed -- no leaks are possible Good result. -------------------------------- CVE-2018-17828 $ unzzip-mem evil.zip Removing "../" path component(s) in ../../test/evil.conf DEBUG: zzip_mem_entry_fopen : compressed size 13 Good result
View Attachment As Raw
Actions:
View
Attachments on
bug 22570
: 10751