Bug 16813

Summary: unzip new heap overflow and denial of service security issues (CVE-2015-7696, CVE-2015-7697)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/658202/
Whiteboard: has_procedure advisory mga5-32-ok MGA5-64-OK
Source RPM: unzip-6.0-13.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-09-23 20:08:45 CEST 
Fedora has issued an advisory on September 22:
https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167145.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated unzip packages fix security vulnerabilities:

The unzip program is susceptible to heap overflow and denial of service issues
when fed invalid input.  It has been patched to correct these issues.

References:
https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167145.html
========================

Updated packages in core/updates_testing:
========================
unzip-6.0-13.1.mga5

from unzip-6.0-13.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Lewis Smith 2015-09-23 21:12:36 CEST 
Testing MGA5 x64.

Some references for followers. THE one that matters is:
 http://seclists.org/oss-sec/2015/q3/512
which contains link to two test files & the unzip instructions for them:
1)
 http://seclists.org/oss-sec/2015/q3/att-512/sigsegv_zip.bin
[download as sigsegv.zip]
 $ unzip -p -P x sigsegv.zip
2)
 http://seclists.org/oss-sec/2015/q3/att-512/sigxcpu_zip.bin
[download as sigxcpu.zip]
 $ unzip sigxcpu.zip

BEFORE the update: unzip-6.0-13.mga5
1) Output ends with
"         continuing with "compressed" size value
error:  zipfile probably corrupt (segmentation violation)
Segmentation fault"
2)

CC: (none) => lewyssmith

Comment 2 Lewis Smith 2015-09-23 21:32:17 CEST 
2) continued...
$ unzip sigxcpu.zip
Archive:  sigxcpu.zip

caution:  zipfile comment truncated
warning [sigxcpu.zip]:  26 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error [sigxcpu.zip]:  reported length of central directory is
  -26 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
   skipping: 8öHá                  `bzip2' method not supported
Â:  ucsize 2 <> csize 0 for STORED entry
         continuing with "compressed" size value
 extracting: Â                       bad CRC 00000000  (should be 00000003)
file #2:  bad zipfile offset (local header sig):  83
  inflating: oO~MD                   
  error:  invalid compressed data to inflate
JÃ¥Â:  ucsize 3 <> csize 4 for STORED entry
         continuing with "compressed" size value
 extracting: Jå                    bad CRC 6193e2f2  (should be 00000004)

AFTER the update: unzip-6.0-13.1.mga5
1) $ unzip -p -P x sigsegv.zip
Output ends with
"         continuing with "compressed" size value
   skipping: ^»Â.Làhp             unable to get password
file #5:  bad zipfile offset (EOF):  203
file #6:  bad zipfile offset (EOF):  251

note:  didn't find end-of-central-dir signature at end of central dir.
  (please check that you have transferred or created the zipfile in the
  appropriate BINARY mode and that you have compiled UnZip properly)"
so the segmentation fault is cured. OK.

2) $ unzip sigxcpu.zip
Archive:  sigxcpu.zip

caution:  zipfile comment truncated
warning [sigxcpu.zip]:  26 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error [sigxcpu.zip]:  reported length of central directory is
  -26 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
   skipping: 8öHá                  `bzip2' method not supported
Â:  ucsize 2 <> csize 0 for STORED entry
         continuing with "compressed" size value
replace Â? [y]es, [n]o, [A]ll, [N]one, [r]ename: 
file #2:  bad zipfile offset (local header sig):  83
replace oO~MD? [y]es, [n]o, [A]ll, [N]one, [r]ename: n
JÃ¥Â:  ucsize 3 <> csize 4 for STORED entry
         continuing with "compressed" size value
replace Jå� [y]es, [n]o, [A]ll, [N]one, [r]ename: n
[ends]
Output identical to pre-update as far as:
 "continuing with "compressed" size value"
then differs, so something has changed; believe as OK.

Whiteboard: (none) => MGA5-64-OK

Comment 3 claire robinson 2015-09-24 17:47:26 CEST 
Testing mga5 32

The 'replace ? [y]es, [n]o,' etc seems to show if the file already exists, guessing you didn't delete the unzipped garbage data before the 2nd attempt.

I didn't either. Tried again after deleting it though and the output for that one appears identical before and after updating. No noticeable DoS on 10yr old laptop before or after.

Adding the OK but unable to reproduce the infinite loop with bzip2, possibly due to..

   skipping: 8öHá                  `bzip2' method not supported

Whiteboard: MGA5-64-OK => has_procedure mga5-32-ok MGA5-64-OK

Comment 4 claire robinson 2015-09-25 17:26:16 CEST 
Validating. Advisory uploaded (No CVE's for this one yet)

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-32-ok MGA5-64-OK => has_procedure advisory mga5-32-ok MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-09-25 20:44:15 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0384.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2015-10-12 20:45:19 CEST 
CVE-2015-7696 and CVE-2015-7697 have been assigned for this:
http://openwall.com/lists/oss-security/2015/10/11/5

Summary: unzip new heap overflow and denial of service security issues => unzip new heap overflow and denial of service security issues (CVE-2015-7696, CVE-2015-7697)