Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 564246 - <sys-apps/busybox-1.24.1: unzip: pointer misuse lead to a crash
Summary: <sys-apps/busybox-1.24.1: unzip: pointer misuse lead to a crash
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-27 08:43 UTC by Agostino Sarubbo
Modified: 2016-12-04 06:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-27 08:43:56 UTC
From ${URL} :


Unziping a specially crafted zip file results in a computation of an invalid
pointer and a crash reading an invalid address. Upstream is taking a look
to it, but in the meantime if someone wants to provide some feedback, it
will be nice. Find an attached a test case to reproduce it. A
complete backtrace in busybox 1.21 (debug) is available here:

$ gdb --args ./busybox_unstripped unzip x.-6170921383890712452
...
(gdb) run
Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip
x.-6170921383890712452
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Archive:  x.-6170921383890712452
  inflating: ]3j½r«I..K-%Ix

Program received signal SIGSEGV, Segmentation fault.
huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257,
d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "",
t=0x60620000eb08,
    t@...ry=0x602c0000fe60, m=0x7fffffffd260) at
archival/libarchive/decompress_gunzip.c:441
441                    r.e = (unsigned char) e[*p - s]; /* non-simple--look
up
in lists */
(gdb) bt
#0  huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257,
d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "",
    t=0x60620000eb08, t@...ry=0x602c0000fe60, m=0x7fffffffd260) at
archival/libarchive/decompress_gunzip.c:441
#1  0x0000000000520b52 in inflate_block (state=state@...ry=0x602c0000fe00,
e=e@...ry=0x602c0000fe83 "") at archival/libarchive/decompress_gunzip.c:905
#2  0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at
archival/libarchive/decompress_gunzip.c:947
#3  inflate_unzip_internal (state=state@...ry=0x602c0000fe00, in=in@...ry=3,
out=out@...ry=4) at archival/libarchive/decompress_gunzip.c:1004
#4  0x0000000000522a6a in inflate_unzip (aux=aux@...ry=0x7fffffffdc30,
in=in@...ry=3, out=out@...ry=4) at
archival/libarchive/decompress_gunzip.c:1048
#5  0x000000000051b255 in unzip_extract (dst_fd=4,
zip_header=0x7fffffffdd50)
at archival/unzip.c:255
#6  unzip_main (argc=<optimized out>, argv=<optimized out>) at
archival/unzip.c:654
#7  0x00000000004088bd in run_applet_no_and_exit
(applet_no=applet_no@...ry=328, argv=argv@...ry=0x7fffffffe170) at
libbb/appletlib.c:759
#8  0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip",
argv=argv@...ry=0x7fffffffe170) at libbb/appletlib.c:766
#9  0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at
libbb/appletlib.c:728
#10 run_applet_and_exit (name=<optimized out>, argv=argv@...ry
=0x7fffffffe168)
at libbb/appletlib.c:768
#11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168)
at
libbb/appletlib.c:823

(gdb) x/i $rip
=> 0x51fb17 <huft_build+2852>:    mov    (%rdi),%dl
(gdb) info registers
rax            0x0    0
rbx            0x57    87
rcx            0x814a18    8473112
rdx            0x140900    1313024
rsi            0x5fa900    6269184
rdi            0xa04dcc    10505676
rbp            0x10007fff7940    0x10007fff7940
rsp            0x7fffffffc930    0x7fffffffc930
r8             0x7fffffffcb64    140737488341860
r9             0x7fffffffcbe8    140737488341992
r10            0x60620000eb10    105974023121680
r11            0x7fffffffcadc    140737488341724
r12            0x7fffffffd260    140737488343648
r13            0x8    8
r14            0x10007fff7944    17594333493572
r15            0x0    0
rip            0x51fb17    0x51fb17 <huft_build+2852>
eflags         0x10216    [ PF AF IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0


Fix:

http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2015-11-13 05:36:23 UTC
added upstream fix to the 1.24.1 release
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-13 13:09:58 UTC
(In reply to SpanKY from comment #1)
> added upstream fix to the 1.24.1 release

Thanks you for the bump. Is it ready for stabilization or should we leave it in tree a little bit?
Comment 3 SpanKY gentoo-dev 2015-12-01 16:30:24 UTC
should be fine to go stable now
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-12-02 00:41:31 UTC
Arches, please test and mark stable:

=sys-apps/busybox-1.24.1

Target Keywords : "amd64 arm hppa ppc ppc64 x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-02 14:30:10 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-04 05:51:41 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-04 06:46:04 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2015-12-05 12:44:43 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-12-07 11:40:54 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-12-25 18:21:11 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 02:17:39 UTC
So I think some of the KEYWORDS got lost through the version bumps. Looks like we might need stabilization for 
alpha, ia64, sparc

Maintainers please advise.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 06:25:34 UTC
vapier: Thanks for the fix
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 06:27:02 UTC
(In reply to Yury German from comment #13)
> vapier: Thanks for the fix
> GLSA Vote: No
> 
> Maintainer(s), please drop the vulnerable version(s).

Sorry wrong on my part. 
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2016-01-26 02:41:34 UTC
It has been 30 days since cleanup was requested.
Maintainer(s), please drop the vulnerable version(s).
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2016-04-28 05:19:36 UTC
CVE is not going to be assigned
http://www.openwall.com/lists/oss-security/2015/11/03/11
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-12-04 06:41:08 UTC
This issue was resolved and addressed in
 GLSA 201612-04 at https://security.gentoo.org/glsa/201612-04
by GLSA coordinator Aaron Bauman (b-man).