Tavis Ormandy writes: the inflate_dynamic() routine (~978, inflate.c) uses a macro NEEDBITS() that jumps execution to a cleanup routine on error, this routine attempts to free() two buffers allocated during the inflate process. At certain locations, the NEEDBITS() macro is used while the pointers are not pointing to valid buffers, they are either uninitialised or pointing inside a block that has already been free()d (ie, not pointing at the block, but at a location inside it). In both cases, the possibility of controlling either the pointer (eg, by altering the unitialized data on the stack left over from some previous subroutine call), or the buffer pointed at by the pointer, is small but perhaps non-zero.
base-system, please find the patch attached. No upstream bump to be expected, smithj tried contacting them without success.
Created attachment 146443 [details, diff] unzip-5.5.2-CVE-2008-0888.patch Courtesy of Tavis
(In reply to comment #1) > smithj tried contacting them without success. Yeah. Actually, if anyone has a contact for them, please pass this info along!
i'd drop the last two hunks of that patch as one is simply whitespace change and the other is redundant -- huft_free() already performs the if(NULL) test
(In reply to comment #4) > i'd drop the last two hunks of that patch as one is simply whitespace change > and the other is redundant -- huft_free() already performs the if(NULL) test sounds good, taviso complained about losing performance though ;-)
spanky, any updates here?
added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into the issue to verify correctness of the patch
(In reply to comment #7) > added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into > the issue to verify correctness of the patch Couldn't reproduce the error with taviso's PoC.
Arches, please test and mark stable: =app-arch/unzip-5.52-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
amd64 stable
x86 stable
ppc and ppc64 done
alpha/ia64/sparc stable
Stable for HPPA.
Fixed in release snapshot.
GLSA 200804-06.