Bug 33169 - zziplib new security issue CVE-2020-18770
Summary: zziplib new security issue CVE-2020-18770
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-05-02 11:22 CEST by Nicolas Salguero
Modified: 2024-05-09 04:41 CEST (History)
3 users (show)

See Also:
Source RPM: zziplib-0.13.72-2.mga9.src.rpm
CVE: CVE-2020-18770
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-05-02 11:22:04 CEST 
RedHat has issued an advisory on April 30:
https://lwn.net/Articles/971664/

The fix is: https://github.com/gdraheim/zziplib/commit/803f49aaae16b7f2899e4769afdfc673a21fa9e8

Mageia 9 is also affected.
Nicolas Salguero 2024-05-02 11:22:58 CEST

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 0.13.73 and patch available from upstream
Source RPM: (none) => zziplib-0.13.72-2.mga9.src.rpm
CVE: (none) => CVE-2020-18770

Comment 1 Nicolas Salguero 2024-05-02 15:43:01 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in function zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service. (CVE-2020-18770)

References:
https://lwn.net/Articles/971664/
========================

Updated packages in core/updates_testing:
========================
lib(64)zziplib13-0.13.72-2.1.mga9
lib(64)zziplib-devel-0.13.72-2.1.mga9
zziplib-utils-0.13.72-2.1.mga9

from SRPM:
zziplib-0.13.72-2.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 0.13.73 and patch available from upstream => (none)
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Version: Cauldron => 9

katnatek 2024-05-02 19:35:41 CEST

Keywords: (none) => advisory

Comment 2 Len Lawrence 2024-05-05 19:11:14 CEST 
Mageia9, x64

CVE-2020-18770
https://github.com/gdraheim/zziplib/issues/69
Ran the PoC test before updating and noted that the vulnerability had been taken care of already.
$ unzzip-mem zip_poc.zip
DEBUG: zzip_disk_entry_to_file_header : file header: offset out of bounds (0xe4c2f0)
DEBUG: zzip_mem_entry_new : no header in entry
DEBUG: zzip_mem_disk_load : unable to load entry
DEBUG: zzip_mem_disk_open : unable to load disk zip_poc.zip

Update via qarepo and drakrpm-update.

The PoC test returned the same log messages as before.

Tried out unzzip-mem on a regular file:
$ unzzip-mem racc-master.zip
$ tree racc-master
racc-master
├── bin
│   └── racc
├── ChangeLog
[...]

unzzip does the same thing apparently:
$ unzzip ruby-deep-dive.zip
$ tree ruby-deep-dive-v7
ruby-deep-dive-v7
├── book
│   ├── examples
[...]

$ urpmq --whatrequires-recursive lib64zziplib13 | sort -u
asymptote
asymptote-gui
atril-dvi
auto-multiple-choice
cmsuper
connecthys
dblatex
diskimage-builder
<lots of things>

Tried a couple of operations in the asymptote gui under strace but could not find any sign of access to zziplib.  It probably requires a real session to expose it.

This will have to do.  Giving it the OK.

CC: (none) => tarazed25

Len Lawrence 2024-05-05 19:11:34 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 3 katnatek 2024-05-06 01:05:06 CEST 
RH mageia 9 x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing lib64zziplib13-0.13.72-2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64zziplib13        ##################################################################################################
      1/1: removing lib64zziplib13-0.13.72-2.mga9.x86_64
                                 ##################################################################################################
 
This indicates that the current version of the package already was in my system (AFAIK I not install by myself)

Installl zziplib-utils

LC_ALL=C urpmi zziplib-utils


installing zziplib-utils-0.13.72-2.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: zziplib-utils         ##################################################################################################


unzip a .zip file with unzzip all the content in zip file is restored as expected
katnatek 2024-05-06 01:05:25 CEST

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-05-06 02:43:17 CEST 
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-05-09 04:41:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0167.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.