First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 213761
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
unzip-5.5.2-CVE-2008-0888.patch unzip-5.5.2-CVE-2008-0888.patch patch Robert Buchholz 2008-03-18 01:34 0000 1.36 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 213761 depends on: Show dependency tree
Show dependency graph
Bug 213761 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-18 01:32 0000 
Tavis Ormandy writes:

the inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).

In both cases, the possibility of controlling either the pointer (eg,
by altering the unitialized data on the stack left over from some
previous subroutine call), or the buffer pointed at by the pointer, is
small but perhaps non-zero.

------- Comment #1 From Robert Buchholz 2008-03-18 01:34:02 0000 ------- 
base-system, please find the patch attached. No upstream bump to be expected,
smithj tried contacting them without success.

------- Comment #2 From Robert Buchholz 2008-03-18 01:34:49 0000 ------- 
Created an attachment (id=146443) [edit]
unzip-5.5.2-CVE-2008-0888.patch

Courtesy of Tavis

------- Comment #3 From Jonathan Smith 2008-03-18 04:44:31 0000 ------- 
(In reply to comment #1)
> smithj tried contacting them without success.

Yeah. Actually, if anyone has a contact for them, please pass this info along!

------- Comment #4 From SpanKY 2008-03-18 11:28:10 0000 ------- 
i'd drop the last two hunks of that patch as one is simply whitespace change
and the other is redundant -- huft_free() already performs the if(NULL) test

------- Comment #5 From Robert Buchholz 2008-03-18 12:16:54 0000 ------- 
(In reply to comment #4)
> i'd drop the last two hunks of that patch as one is simply whitespace change
> and the other is redundant -- huft_free() already performs the if(NULL) test

sounds good, taviso complained about losing performance though ;-)

------- Comment #6 From Robert Buchholz 2008-03-27 21:13:08 0000 ------- 
spanky, any updates here?

------- Comment #7 From SpanKY 2008-03-29 02:37:54 0000 ------- 
added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into
the issue to verify correctness of the patch

------- Comment #8 From Robert Buchholz 2008-03-29 10:04:45 0000 ------- 
(In reply to comment #7)
> added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into
> the issue to verify correctness of the patch

Couldn't reproduce the error with taviso's PoC.

------- Comment #9 From Robert Buchholz 2008-03-29 10:05:17 0000 ------- 
Arches, please test and mark stable:
=app-arch/unzip-5.52-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh
sparc x86"

------- Comment #10 From Robert Buchholz 2008-03-29 10:12:43 0000 ------- 
amd64 stable

------- Comment #11 From Christian Faulhammer 2008-03-29 11:15:45 0000 ------- 
x86 stable

------- Comment #12 From Brent Baude 2008-03-29 15:33:03 0000 ------- 
ppc and ppc64 done

------- Comment #13 From Raúl Porcel 2008-03-29 16:06:31 0000 ------- 
alpha/ia64/sparc stable

------- Comment #14 From Jeroen Roovers 2008-03-29 16:57:02 0000 ------- 
Stable for HPPA.

------- Comment #15 From Peter Volkov 2008-03-30 11:41:42 0000 ------- 
Fixed in release snapshot.

------- Comment #16 From Robert Buchholz 2008-04-06 17:20:59 0000 ------- 
GLSA 200804-06.
First Last Prev Next    No search results available      Search page      Enter new bug