Bug 213761 - app-arch/unzip <5.52-r2 Double free vulnerability (CVE-2008-0888)
Bug#: 213761 (CVE-2008-0888) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-arch/unzip <5.52-r2 Double free vulnerability (CVE-2008-0888)
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2008-03-18 01:32 0000
Description:   Opened: 2008-03-18 01:32 0000 
Tavis Ormandy writes:

the inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).

In both cases, the possibility of controlling either the pointer (eg,
by altering the unitialized data on the stack left over from some
previous subroutine call), or the buffer pointed at by the pointer, is
small but perhaps non-zero.

------- Comment #1 From Robert Buchholz 2008-03-18 01:34:02 0000 ------- 
base-system, please find the patch attached. No upstream bump to be expected,
smithj tried contacting them without success.

------- Comment #2 From Robert Buchholz 2008-03-18 01:34:49 0000 ------- 
Created an attachment (id=146443) [details]
unzip-5.5.2-CVE-2008-0888.patch

Courtesy of Tavis

------- Comment #3 From Jonathan Smith 2008-03-18 04:44:31 0000 ------- 
(In reply to comment #1)
> smithj tried contacting them without success.

Yeah. Actually, if anyone has a contact for them, please pass this info along!

------- Comment #4 From SpanKY 2008-03-18 11:28:10 0000 ------- 
i'd drop the last two hunks of that patch as one is simply whitespace change
and the other is redundant -- huft_free() already performs the if(NULL) test

------- Comment #5 From Robert Buchholz 2008-03-18 12:16:54 0000 ------- 
(In reply to comment #4)
> i'd drop the last two hunks of that patch as one is simply whitespace change
> and the other is redundant -- huft_free() already performs the if(NULL) test

sounds good, taviso complained about losing performance though ;-)

------- Comment #6 From Robert Buchholz 2008-03-27 21:13:08 0000 ------- 
spanky, any updates here?

------- Comment #7 From SpanKY 2008-03-29 02:37:54 0000 ------- 
added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into
the issue to verify correctness of the patch

------- Comment #8 From Robert Buchholz 2008-03-29 10:04:45 0000 ------- 
(In reply to comment #7)
> added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into
> the issue to verify correctness of the patch

Couldn't reproduce the error with taviso's PoC.

------- Comment #9 From Robert Buchholz 2008-03-29 10:05:17 0000 ------- 
Arches, please test and mark stable:
=app-arch/unzip-5.52-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh
sparc x86"

------- Comment #10 From Robert Buchholz 2008-03-29 10:12:43 0000 ------- 
amd64 stable

------- Comment #11 From Christian Faulhammer 2008-03-29 11:15:45 0000 ------- 
x86 stable

------- Comment #12 From Brent Baude 2008-03-29 15:33:03 0000 ------- 
ppc and ppc64 done

------- Comment #13 From Raúl Porcel 2008-03-29 16:06:31 0000 ------- 
alpha/ia64/sparc stable

------- Comment #14 From Jeroen Roovers 2008-03-29 16:57:02 0000 ------- 
Stable for HPPA.

------- Comment #15 From Peter Volkov 2008-03-30 11:41:42 0000 ------- 
Fixed in release snapshot.

------- Comment #16 From Robert Buchholz 2008-04-06 17:20:59 0000 ------- 
GLSA 200804-06.