564246 – <sys-apps/busybox-1.24.1: unzip: pointer misuse lead to a crash

Bug 564246 - <sys-apps/busybox-1.24.1: unzip: pointer misuse lead to a crash

Summary: <sys-apps/busybox-1.24.1: unzip: pointer misuse lead to a crash

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-10-27 08:43 UTC by Agostino Sarubbo
Modified:	2016-12-04 06:41 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-10-27 08:43:56 UTC

From ${URL} :


Unziping a specially crafted zip file results in a computation of an invalid
pointer and a crash reading an invalid address. Upstream is taking a look
to it, but in the meantime if someone wants to provide some feedback, it
will be nice. Find an attached a test case to reproduce it. A
complete backtrace in busybox 1.21 (debug) is available here:

$ gdb --args ./busybox_unstripped unzip x.-6170921383890712452
...
(gdb) run
Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip
x.-6170921383890712452
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Archive:  x.-6170921383890712452
  inflating: ]3j½r«I..K-%Ix

Program received signal SIGSEGV, Segmentation fault.
huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257,
d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "",
t=0x60620000eb08,
    t@...ry=0x602c0000fe60, m=0x7fffffffd260) at
archival/libarchive/decompress_gunzip.c:441
441                    r.e = (unsigned char) e[*p - s]; /* non-simple--look
up
in lists */
(gdb) bt
#0  huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257,
d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "",
    t=0x60620000eb08, t@...ry=0x602c0000fe60, m=0x7fffffffd260) at
archival/libarchive/decompress_gunzip.c:441
#1  0x0000000000520b52 in inflate_block (state=state@...ry=0x602c0000fe00,
e=e@...ry=0x602c0000fe83 "") at archival/libarchive/decompress_gunzip.c:905
#2  0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at
archival/libarchive/decompress_gunzip.c:947
#3  inflate_unzip_internal (state=state@...ry=0x602c0000fe00, in=in@...ry=3,
out=out@...ry=4) at archival/libarchive/decompress_gunzip.c:1004
#4  0x0000000000522a6a in inflate_unzip (aux=aux@...ry=0x7fffffffdc30,
in=in@...ry=3, out=out@...ry=4) at
archival/libarchive/decompress_gunzip.c:1048
#5  0x000000000051b255 in unzip_extract (dst_fd=4,
zip_header=0x7fffffffdd50)
at archival/unzip.c:255
#6  unzip_main (argc=<optimized out>, argv=<optimized out>) at
archival/unzip.c:654
#7  0x00000000004088bd in run_applet_no_and_exit
(applet_no=applet_no@...ry=328, argv=argv@...ry=0x7fffffffe170) at
libbb/appletlib.c:759
#8  0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip",
argv=argv@...ry=0x7fffffffe170) at libbb/appletlib.c:766
#9  0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at
libbb/appletlib.c:728
#10 run_applet_and_exit (name=<optimized out>, argv=argv@...ry
=0x7fffffffe168)
at libbb/appletlib.c:768
#11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168)
at
libbb/appletlib.c:823

(gdb) x/i $rip
=> 0x51fb17 <huft_build+2852>:    mov    (%rdi),%dl
(gdb) info registers
rax            0x0    0
rbx            0x57    87
rcx            0x814a18    8473112
rdx            0x140900    1313024
rsi            0x5fa900    6269184
rdi            0xa04dcc    10505676
rbp            0x10007fff7940    0x10007fff7940
rsp            0x7fffffffc930    0x7fffffffc930
r8             0x7fffffffcb64    140737488341860
r9             0x7fffffffcbe8    140737488341992
r10            0x60620000eb10    105974023121680
r11            0x7fffffffcadc    140737488341724
r12            0x7fffffffd260    140737488343648
r13            0x8    8
r14            0x10007fff7944    17594333493572
r15            0x0    0
rip            0x51fb17    0x51fb17 <huft_build+2852>
eflags         0x10216    [ PF AF IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0


Fix:

http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 SpanKY gentoo-dev

2015-11-13 05:36:23 UTC

added upstream fix to the 1.24.1 release

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-11-13 13:09:58 UTC

(In reply to SpanKY from comment #1)
> added upstream fix to the 1.24.1 release

Thanks you for the bump. Is it ready for stabilization or should we leave it in tree a little bit?

Comment 3 SpanKY gentoo-dev

2015-12-01 16:30:24 UTC

should be fine to go stable now

Comment 4 Yury German Gentoo Infrastructure

2015-12-02 00:41:31 UTC

Arches, please test and mark stable:

=sys-apps/busybox-1.24.1

Target Keywords : "amd64 arm hppa ppc ppc64 x86"

Thank you!

Comment 5 Agostino Sarubbo gentoo-dev

2015-12-02 14:30:10 UTC

amd64 stable

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2015-12-04 05:51:41 UTC

Stable for PPC64.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2015-12-04 06:46:04 UTC

Stable for HPPA.

Comment 8 Markus Meier gentoo-dev

2015-12-05 12:44:43 UTC

arm stable

Comment 9 Agostino Sarubbo gentoo-dev

2015-12-07 11:40:54 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2015-12-25 18:21:11 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 11 Yury German Gentoo Infrastructure

2015-12-31 02:17:39 UTC

So I think some of the KEYWORDS got lost through the version bumps. Looks like we might need stabilization for 
alpha, ia64, sparc

Maintainers please advise.

Comment 12 SpanKY gentoo-dev

2015-12-31 05:35:39 UTC

should be fixed now with:
http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58892cd826270f5d676679420f0edde126a9398e

Comment 13 Yury German Gentoo Infrastructure

2015-12-31 06:25:34 UTC

vapier: Thanks for the fix
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).

Comment 14 Yury German Gentoo Infrastructure

2015-12-31 06:27:02 UTC

(In reply to Yury German from comment #13)
> vapier: Thanks for the fix
> GLSA Vote: No
> 
> Maintainer(s), please drop the vulnerable version(s).

Sorry wrong on my part. 
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 15 Yury German Gentoo Infrastructure

2016-01-26 02:41:34 UTC

It has been 30 days since cleanup was requested.
Maintainer(s), please drop the vulnerable version(s).

Comment 16 Yury German Gentoo Infrastructure

2016-04-28 05:19:36 UTC

CVE is not going to be assigned
http://www.openwall.com/lists/oss-security/2015/11/03/11

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2016-12-04 06:41:08 UTC

This issue was resolved and addressed in
 GLSA 201612-04 at https://security.gentoo.org/glsa/201612-04
by GLSA coordinator Aaron Bauman (b-man).