Bug 14872

CVE request for a similar issue to CVE-2014-8140:
http://openwall.com/lists/oss-security/2014/12/22/12

So I'll add his patch when we get a CVE.

PoC for one of them here, the new one I think..
http://seclists.org/oss-sec/2014/q4/489

Extract http://lcamtuf.coredump.cx/afl.tgz then..

$ unzip -qt afl-1.01b/docs/vuln_samples/unzip-t-mem-corruption.zip 
foo/:  mismatching "local" filename (???/UT),
         continuing with "central" filename version
*** Error in `unzip': free(): corrupted unsorted chunks: 0x0000000000c88040 ***
error:  zipfile probably corrupt (segmentation violation)

Testing on Mageia 4x32 real hardware, 
using PoC provided by Claire in Comment 2

From current package :
--------------------
$ rpm -q unzip
unzip-6.0-7.mga4

$ unzip -v
UnZip 6.00 of 20 April 2009, by Info-ZIP.  Maintained by C. Spieler.  Send
bug reports using http://www.info-zip.org/zip-bug.html; see README for details.

Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ;
see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites.

Compiled with gcc 4.8.2 for Unix (Linux ELF) on Oct 18 2013.

$ unzip -qt afl-1.01b/docs/vuln_samples/unzip-t-mem-corruption.zip 
foo/:  mismatching "local" filename (???/UT),
         continuing with "central" filename version
*** Error in `unzip': double free or corruption (!prev): 0x08df4928 ***
*** Error in `unzip': malloc(): memory corruption: 0x08df49b0 ***

To updated testing package :
--------------------------
$ rpm -q unzip
unzip-6.0-7.1.mga4

$ unzip -v        
UnZip 6.00 of 20 April 2009, by Info-ZIP.  Maintained by C. Spieler.  Send
bug reports using http://www.info-zip.org/zip-bug.html; see README for details.

Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ;
see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites.

Compiled with gcc 4.8.2 for Unix (Linux ELF) on Dec 22 2014.

$ unzip -qt afl-1.01b/docs/vuln_samples/unzip-t-mem-corruption.zip
foo/:  mismatching "local" filename (???/UT),
         continuing with "central" filename version
*** Error in `unzip': double free or corruption (!prev): 0x083a6928 ***
*** Error in `unzip': malloc(): memory corruption: 0x083a69b0 ***

Updated testing package does not resolve the bug here.

CC: (none) => olchal

MGA4-64 on HP Probook 6555b KDE
Confirm problem still exists:
$ unzip -qt afl-1.04b/docs/vuln_samples/unzip-t-mem-corruption.zip
foo/:  mismatching "local" filename (???/UT),
         continuing with "central" filename version
*** Error in `unzip': free(): corrupted unsorted chunks: 0x0000000001325080 ***
error:  zipfile probably corrupt (segmentation violation)

Note: I downloaded the test file again, apparently it has been changed, check first folder name.

CC: (none) => herman.viaene

I guess PoC's aren't available for the CVEs.  I've added mancha's patch to fix the issue from the afl zip file.  I'll update the advisory again if MITRE ever gets around to assigning a CVE.

Advisory:
========================

Updated unzip package fix security vulnerabilities:

The unzip command line tool is affected by heap-based buffer overflows within
the CRC32 verification (CVE-2014-8139), the test_compr_eb() (CVE-2014-8140)
and the getZip64Data() (CVE-2014-8141) functions. The input errors may result
in in arbitrary code execution. A specially crafted zip file, passed to the
command unzip -t, can be used to trigger the vulnerability.

OOB access (both read and write) issues also exist in test_compr_eb()
that can result in application crash or other unspecified impact. A
specially crafted zip file, passed to the command unzip -t, can be used to
trigger the issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141
http://www.ocert.org/advisories/ocert-2014-011.html
https://bugzilla.redhat.com/show_bug.cgi?id=1174844
https://bugzilla.redhat.com/show_bug.cgi?id=1174851
https://bugzilla.redhat.com/show_bug.cgi?id=1174856
http://openwall.com/lists/oss-security/2014/12/22/12
========================

Updated packages in core/updates_testing:
========================
unzip-6.0-7.2.mga4

from unzip-6.0-7.2.mga4.src.rpm

New version on MGA4-64 on HP Probook 6555b with the same test file

unzip -qt afl-1.04b/docs/vuln_samples/unzip-t-mem-corruption.zip
foo/:  mismatching "local" filename (???/UT),
         continuing with "central" filename version
foo/                    invalid compressed data for EAs
At least one error was detected in afl-1.04b/docs/vuln_samples/unzip-t-mem-corruption.zip.

Is that an OK result?

(In reply to Herman Viaene from comment #6)
> Is that an OK result?

Yes, it should report an error and not segfault.

MGA4-32 on Acer D620 Xfce.
No installation problem.
Downloaded test file (new version again)
At CLI:
[xxxx@yyyy Downloads]$ unzip -qt afl-1.06b/docs/vuln_samples/unzip-t-mem-corruption.zip 
foo/:  mismatching "local" filename (???/UT),
         continuing with "central" filename version
foo/                    invalid compressed data for EAs
At least one error was detected in afl-1.06b/docs/vuln_samples/unzip-t-mem-corruption.zip.

Whiteboard: MGA4-64-OK => MGA4-64-OK MGA-32-OK

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
unzip

default install of unzip

[root@localhost wilcal]# urpmi unzip
Package unzip-6.0-7.mga4.i586 is already installed

[wilcal@localhost unzip_test]$ unzip -qt unzip-t-mem-corruption.zip
foo/:  mismatching "local" filename (???/UT),
         continuing with "central" filename version
*** Error in `unzip': double free or corruption (!prev): 0x097a68f0 ***
*** Error in `unzip': malloc(): memory corruption: 0x097a6978 ***

install unzip from updates_testing

[root@localhost wilcal]# urpmi unzip
Package unzip-6.0-7.2.mga4.i586 is already installed

[wilcal@localhost unzip_test]$ unzip -qt unzip-t-mem-corruption.zip
foo/:  mismatching "local" filename (???/UT),
         continuing with "central" filename version
foo/                    invalid compressed data for EAs
At least one error was detected in unzip-t-mem-corruption.zip.

No sigfault error reported

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Validating. Advisory uploaded.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Debian has issued an advisory for this on December 28:
https://www.debian.org/security/2014/dsa-3113

URL: (none) => http://lwn.net/Vulnerabilities/628100/

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0562.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

The OOB access in test_compr_br has been assigned CVE-2014-9636:
http://openwall.com/lists/oss-security/2015/01/22/5

If someone could revise the advisory in SVN:

Advisory:
========================

Updated unzip package fix security vulnerabilities:

The unzip command line tool is affected by heap-based buffer overflows within
the CRC32 verification (CVE-2014-8139), the test_compr_eb() (CVE-2014-8140)
and the getZip64Data() (CVE-2014-8141) functions. The input errors may result
in in arbitrary code execution. A specially crafted zip file, passed to the
command unzip -t, can be used to trigger the vulnerability.

OOB access (both read and write) issues also exist in test_compr_eb()
that can result in application crash or other unspecified impact. A
specially crafted zip file, passed to the command unzip -t, can be used to
trigger the issues (CVE-2014-9636).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9636
http://www.ocert.org/advisories/ocert-2014-011.html
https://bugzilla.redhat.com/show_bug.cgi?id=1174844
https://bugzilla.redhat.com/show_bug.cgi?id=1174851
https://bugzilla.redhat.com/show_bug.cgi?id=1174856
http://openwall.com/lists/oss-security/2015/01/22/5

Fedora has issued an advisory for CVE-2014-9636 on January 27:
https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148792.html

from http://lwn.net/Vulnerabilities/631118/