Bus error in __zzip_fetch_disk_trailer (src/zzip/zip.c) [CVE-2018-6484] #14
Milestone
Comments
|
CVE-2018-6484 was assigned to this issue. |
|
The POC download link is not working. |
|
@abergmann Thanks, the poc link should work now. |
|
using "unzzip -l" should be comparable but test_64844 does not reproduce the problem |
|
checking the download-sizes, and adding an explicizt zzdir-testcase, which however only has an encoding-problem ("Invalid or incomplete multibyte") make test_64848 May be a misaligned is dependent on the processor? Here it is a Core i7-3630QM |
|
checking back with v0.13.67 where the testcase actually show a bus error. As the testcase on the master is fine now, this may be assumed as => fixed |
8 tasks
flokli
added a commit
to flokli/nixpkgs
that referenced
this issue
Feb 23, 2018
Bump zziplib to 0.13.68 to fix multiple CVE issues: - CVE-2018-6381 (gdraheim/zziplib@a803559) - CVE-2018-6484 (gdraheim/zziplib#14 (comment)) - CVE-2018-6540 (gdraheim/zziplib@72ec933) - CVE-2018-6541 (gdraheim/zziplib#16 (comment)) - CVE-2018-6542 (gdraheim/zziplib@931f962) Unfortunately, getting only those patches is hard, as they're not well referenced to linked issues. The testsuite checking for vulns requires network access (so we can't easily test it here). gdraheim/zziplib#20 might still be an issue, so keeping this as a TODO here.
flokli
added a commit
to flokli/nixpkgs
that referenced
this issue
Feb 23, 2018
Bump zziplib to 0.13.68 to fix multiple CVE issues: - CVE-2018-6381 (gdraheim/zziplib@a803559) - CVE-2018-6484 (gdraheim/zziplib#14 (comment)) - CVE-2018-6540 (gdraheim/zziplib@72ec933) - CVE-2018-6541 (gdraheim/zziplib#16 (comment)) - CVE-2018-6542 (gdraheim/zziplib@931f962) Unfortunately, getting only those patches is hard, as they're not well referenced to linked issues. The testsuite checking for vulns requires network access (so we can't easily test it here). gdraheim/zziplib#20 might still be an issue, so keeping this as a TODO here. (cherry picked from commit 9f6a942)
8 tasks
gdraheim
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On latest version (0.13.67) and master branch of zziplib:
there is a bus error caused by loading of misaligned address in __zzip_fetch_disk_trailer function of src/zzip/zip.c, which could be triggered by the POC below.
The issue happens since the struct zzip_disk_trailer "orig" (line 318) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs. The POC is as small as 100 bytes.
To reproduce the issue, run: ./zzdir $POC
The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_zzdir_memory-alignment-errors___zzip_fetch_disk_trailer.zip
master/src/zzip/zip.c:315:43: runtime error: load of misaligned address 0x7f079d64a027 for type 'uint16_t', which requires 2 byte alignment
0x7f079d64a027: note: pointer points here
00 00 00 20 01 40 00 70 47 50 50 50 51 55 50 50 50 50 50 50 00 00 00 00 00 00 00 00 00 00 00 00
^
The text was updated successfully, but these errors were encountered: