Bus error when handling disk64_trailer in __zzip_fetch_disk_trailer (src/zzip/zip.c) [CVE-2018-6541] #16
Milestone
Comments
|
CVE-2018-6541 was assigned to this issue. |
|
can not reproduce in test_65419 |
|
after double-checking the download-size, the problem can not be reproduced in test_65414 The testcase provokes a "Zipfile corrupted" on latest master. May be a misaligned is dependent on the processor? Here it is a Core i7-3630QM |
|
checking back with v0.13.67 where the testcase does actually show a bus error. As the testcase is fine now, it was probably fixed by some other patch. => fixed |
8 tasks
flokli
added a commit
to flokli/nixpkgs
that referenced
this issue
Feb 23, 2018
Bump zziplib to 0.13.68 to fix multiple CVE issues: - CVE-2018-6381 (gdraheim/zziplib@a803559) - CVE-2018-6484 (gdraheim/zziplib#14 (comment)) - CVE-2018-6540 (gdraheim/zziplib@72ec933) - CVE-2018-6541 (gdraheim/zziplib#16 (comment)) - CVE-2018-6542 (gdraheim/zziplib@931f962) Unfortunately, getting only those patches is hard, as they're not well referenced to linked issues. The testsuite checking for vulns requires network access (so we can't easily test it here). gdraheim/zziplib#20 might still be an issue, so keeping this as a TODO here.
flokli
added a commit
to flokli/nixpkgs
that referenced
this issue
Feb 23, 2018
Bump zziplib to 0.13.68 to fix multiple CVE issues: - CVE-2018-6381 (gdraheim/zziplib@a803559) - CVE-2018-6484 (gdraheim/zziplib#14 (comment)) - CVE-2018-6540 (gdraheim/zziplib@72ec933) - CVE-2018-6541 (gdraheim/zziplib#16 (comment)) - CVE-2018-6542 (gdraheim/zziplib@931f962) Unfortunately, getting only those patches is hard, as they're not well referenced to linked issues. The testsuite checking for vulns requires network access (so we can't easily test it here). gdraheim/zziplib#20 might still be an issue, so keeping this as a TODO here. (cherry picked from commit 9f6a942)
8 tasks
gdraheim
changed the title
|
It seems it was fixed with this commit 0c0c925 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On latest version (0.13.67) and master branch of zziplib:
there is a bus error caused by loading of misaligned address when handling disk64_trailer local entries in __zzip_fetch_disk_trailer function of src/zzip/zip.c, which could be triggered by the POC below.
The issue happens since the struct zzip_disk_trailer "orig" (line 336) could be manipulated by a crafted zip file, resulting in a misaligned memory access and bus error. Note that the issue is in libzip and may affect downstream programs. This issue is different from CVE-2018-6484, and arises when invoking a different function.
To reproduce the issue, run: ./unzzip -p $POC
https://github.com/ProbeFuzzer/poc/blob/master/zziplib/zziplib_0-13-67_unzzip_memory-aligment-errors___zzip_fetch_disk_trailer.zip
master/src/zzip/zip.c:336:25: runtime error: load of misaligned address 0x7f1d4f853036 for type 'uint64_t', which requires 8 byte alignment
0x7f1d4f853036: note: pointer points here
03 dd e5 69 50 5a 50 4b 03 dd e5 69 50 5a 50 4b 06 14 00 0b 00 06 14 00 00 00 00 00 00 00 61 55
^
The text was updated successfully, but these errors were encountered: