An advisory has been issued today (December 22): http://www.ocert.org/advisories/ocert-2014-011.html Patches are available in the RedHat bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1174844 https://bugzilla.redhat.com/show_bug.cgi?id=1174851 https://bugzilla.redhat.com/show_bug.cgi?id=1174856 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated unzip package fix security vulnerabilities: The unzip command line tool is affected by heap-based buffer overflows within the CRC32 verification (CVE-2014-8139), the test_compr_eb() (CVE-2014-8140) and the getZip64Data() (CVE-2014-8141) functions. The input errors may result in in arbitrary code execution. A specially crafted zip file, passed to the command unzip -t, can be used to trigger the vulnerability. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141 http://www.ocert.org/advisories/ocert-2014-011.html https://bugzilla.redhat.com/show_bug.cgi?id=1174844 https://bugzilla.redhat.com/show_bug.cgi?id=1174851 https://bugzilla.redhat.com/show_bug.cgi?id=1174856 ======================== Updated packages in core/updates_testing: ======================== unzip-6.0-7.1.mga4 from unzip-6.0-7.1.mga4.src.rpm Reproducible: Steps to Reproduce:
CVE request for a similar issue to CVE-2014-8140: http://openwall.com/lists/oss-security/2014/12/22/12 So I'll add his patch when we get a CVE.
PoC for one of them here, the new one I think.. http://seclists.org/oss-sec/2014/q4/489 Extract http://lcamtuf.coredump.cx/afl.tgz then.. $ unzip -qt afl-1.01b/docs/vuln_samples/unzip-t-mem-corruption.zip foo/: mismatching "local" filename (???/UT), continuing with "central" filename version *** Error in `unzip': free(): corrupted unsorted chunks: 0x0000000000c88040 *** error: zipfile probably corrupt (segmentation violation)
Testing on Mageia 4x32 real hardware, using PoC provided by Claire in Comment 2 From current package : -------------------- $ rpm -q unzip unzip-6.0-7.mga4 $ unzip -v UnZip 6.00 of 20 April 2009, by Info-ZIP. Maintained by C. Spieler. Send bug reports using http://www.info-zip.org/zip-bug.html; see README for details. Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ; see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites. Compiled with gcc 4.8.2 for Unix (Linux ELF) on Oct 18 2013. $ unzip -qt afl-1.01b/docs/vuln_samples/unzip-t-mem-corruption.zip foo/: mismatching "local" filename (???/UT), continuing with "central" filename version *** Error in `unzip': double free or corruption (!prev): 0x08df4928 *** *** Error in `unzip': malloc(): memory corruption: 0x08df49b0 *** To updated testing package : -------------------------- $ rpm -q unzip unzip-6.0-7.1.mga4 $ unzip -v UnZip 6.00 of 20 April 2009, by Info-ZIP. Maintained by C. Spieler. Send bug reports using http://www.info-zip.org/zip-bug.html; see README for details. Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ; see ftp://ftp.info-zip.org/pub/infozip/UnZip.html for other sites. Compiled with gcc 4.8.2 for Unix (Linux ELF) on Dec 22 2014. $ unzip -qt afl-1.01b/docs/vuln_samples/unzip-t-mem-corruption.zip foo/: mismatching "local" filename (???/UT), continuing with "central" filename version *** Error in `unzip': double free or corruption (!prev): 0x083a6928 *** *** Error in `unzip': malloc(): memory corruption: 0x083a69b0 *** Updated testing package does not resolve the bug here.
CC: (none) => olchal
MGA4-64 on HP Probook 6555b KDE Confirm problem still exists: $ unzip -qt afl-1.04b/docs/vuln_samples/unzip-t-mem-corruption.zip foo/: mismatching "local" filename (???/UT), continuing with "central" filename version *** Error in `unzip': free(): corrupted unsorted chunks: 0x0000000001325080 *** error: zipfile probably corrupt (segmentation violation) Note: I downloaded the test file again, apparently it has been changed, check first folder name.
CC: (none) => herman.viaene
I guess PoC's aren't available for the CVEs. I've added mancha's patch to fix the issue from the afl zip file. I'll update the advisory again if MITRE ever gets around to assigning a CVE. Advisory: ======================== Updated unzip package fix security vulnerabilities: The unzip command line tool is affected by heap-based buffer overflows within the CRC32 verification (CVE-2014-8139), the test_compr_eb() (CVE-2014-8140) and the getZip64Data() (CVE-2014-8141) functions. The input errors may result in in arbitrary code execution. A specially crafted zip file, passed to the command unzip -t, can be used to trigger the vulnerability. OOB access (both read and write) issues also exist in test_compr_eb() that can result in application crash or other unspecified impact. A specially crafted zip file, passed to the command unzip -t, can be used to trigger the issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141 http://www.ocert.org/advisories/ocert-2014-011.html https://bugzilla.redhat.com/show_bug.cgi?id=1174844 https://bugzilla.redhat.com/show_bug.cgi?id=1174851 https://bugzilla.redhat.com/show_bug.cgi?id=1174856 http://openwall.com/lists/oss-security/2014/12/22/12 ======================== Updated packages in core/updates_testing: ======================== unzip-6.0-7.2.mga4 from unzip-6.0-7.2.mga4.src.rpm
New version on MGA4-64 on HP Probook 6555b with the same test file unzip -qt afl-1.04b/docs/vuln_samples/unzip-t-mem-corruption.zip foo/: mismatching "local" filename (???/UT), continuing with "central" filename version foo/ invalid compressed data for EAs At least one error was detected in afl-1.04b/docs/vuln_samples/unzip-t-mem-corruption.zip. Is that an OK result?
(In reply to Herman Viaene from comment #6) > Is that an OK result? Yes, it should report an error and not segfault.
Whiteboard: (none) => MGA4-64-OK
MGA4-32 on Acer D620 Xfce. No installation problem. Downloaded test file (new version again) At CLI: [xxxx@yyyy Downloads]$ unzip -qt afl-1.06b/docs/vuln_samples/unzip-t-mem-corruption.zip foo/: mismatching "local" filename (???/UT), continuing with "central" filename version foo/ invalid compressed data for EAs At least one error was detected in afl-1.06b/docs/vuln_samples/unzip-t-mem-corruption.zip.
Whiteboard: MGA4-64-OK => MGA4-64-OK MGA-32-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: unzip default install of unzip [root@localhost wilcal]# urpmi unzip Package unzip-6.0-7.mga4.i586 is already installed [wilcal@localhost unzip_test]$ unzip -qt unzip-t-mem-corruption.zip foo/: mismatching "local" filename (???/UT), continuing with "central" filename version *** Error in `unzip': double free or corruption (!prev): 0x097a68f0 *** *** Error in `unzip': malloc(): memory corruption: 0x097a6978 *** install unzip from updates_testing [root@localhost wilcal]# urpmi unzip Package unzip-6.0-7.2.mga4.i586 is already installed [wilcal@localhost unzip_test]$ unzip -qt unzip-t-mem-corruption.zip foo/: mismatching "local" filename (???/UT), continuing with "central" filename version foo/ invalid compressed data for EAs At least one error was detected in unzip-t-mem-corruption.zip. No sigfault error reported Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: MGA4-64-OK MGA-32-OK => MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK MGA4-32-OK => advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
Debian has issued an advisory for this on December 28: https://www.debian.org/security/2014/dsa-3113
URL: (none) => http://lwn.net/Vulnerabilities/628100/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0562.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
The OOB access in test_compr_br has been assigned CVE-2014-9636: http://openwall.com/lists/oss-security/2015/01/22/5 If someone could revise the advisory in SVN: Advisory: ======================== Updated unzip package fix security vulnerabilities: The unzip command line tool is affected by heap-based buffer overflows within the CRC32 verification (CVE-2014-8139), the test_compr_eb() (CVE-2014-8140) and the getZip64Data() (CVE-2014-8141) functions. The input errors may result in in arbitrary code execution. A specially crafted zip file, passed to the command unzip -t, can be used to trigger the vulnerability. OOB access (both read and write) issues also exist in test_compr_eb() that can result in application crash or other unspecified impact. A specially crafted zip file, passed to the command unzip -t, can be used to trigger the issues (CVE-2014-9636). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9636 http://www.ocert.org/advisories/ocert-2014-011.html https://bugzilla.redhat.com/show_bug.cgi?id=1174844 https://bugzilla.redhat.com/show_bug.cgi?id=1174851 https://bugzilla.redhat.com/show_bug.cgi?id=1174856 http://openwall.com/lists/oss-security/2015/01/22/5
Fedora has issued an advisory for CVE-2014-9636 on January 27: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/148792.html from http://lwn.net/Vulnerabilities/631118/