From ${URL} : Unziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address. Upstream is taking a look to it, but in the meantime if someone wants to provide some feedback, it will be nice. Find an attached a test case to reproduce it. A complete backtrace in busybox 1.21 (debug) is available here: $ gdb --args ./busybox_unstripped unzip x.-6170921383890712452 ... (gdb) run Starting program: /home/g/Code/busybox-1.21.0/busybox_unstripped unzip x.-6170921383890712452 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Archive: x.-6170921383890712452 inflating: ]3j½r«I..K-%Ix Program received signal SIGSEGV, Segmentation fault. huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257, d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "", t=0x60620000eb08, t@...ry=0x602c0000fe60, m=0x7fffffffd260) at archival/libarchive/decompress_gunzip.c:441 441 r.e = (unsigned char) e[*p - s]; /* non-simple--look up in lists */ (gdb) bt #0 huft_build (b=b@...ry=0x7fffffffd320, n=n@...ry=264, s=s@...ry=257, d=d@...ry=0x5fa900 <cplens>, e=e@...ry=0x5fa8c0 <cplext> "", t=0x60620000eb08, t@...ry=0x602c0000fe60, m=0x7fffffffd260) at archival/libarchive/decompress_gunzip.c:441 #1 0x0000000000520b52 in inflate_block (state=state@...ry=0x602c0000fe00, e=e@...ry=0x602c0000fe83 "") at archival/libarchive/decompress_gunzip.c:905 #2 0x00000000005222d1 in inflate_get_next_window (state=0x602c0000fe00) at archival/libarchive/decompress_gunzip.c:947 #3 inflate_unzip_internal (state=state@...ry=0x602c0000fe00, in=in@...ry=3, out=out@...ry=4) at archival/libarchive/decompress_gunzip.c:1004 #4 0x0000000000522a6a in inflate_unzip (aux=aux@...ry=0x7fffffffdc30, in=in@...ry=3, out=out@...ry=4) at archival/libarchive/decompress_gunzip.c:1048 #5 0x000000000051b255 in unzip_extract (dst_fd=4, zip_header=0x7fffffffdd50) at archival/unzip.c:255 #6 unzip_main (argc=<optimized out>, argv=<optimized out>) at archival/unzip.c:654 #7 0x00000000004088bd in run_applet_no_and_exit (applet_no=applet_no@...ry=328, argv=argv@...ry=0x7fffffffe170) at libbb/appletlib.c:759 #8 0x0000000000408935 in run_applet_and_exit (name=0x7fffffffe4c8 "unzip", argv=argv@...ry=0x7fffffffe170) at libbb/appletlib.c:766 #9 0x0000000000408e7c in busybox_main (argv=0x7fffffffe170) at libbb/appletlib.c:728 #10 run_applet_and_exit (name=<optimized out>, argv=argv@...ry =0x7fffffffe168) at libbb/appletlib.c:768 #11 0x0000000000408f65 in main (argc=<optimized out>, argv=0x7fffffffe168) at libbb/appletlib.c:823 (gdb) x/i $rip => 0x51fb17 <huft_build+2852>: mov (%rdi),%dl (gdb) info registers rax 0x0 0 rbx 0x57 87 rcx 0x814a18 8473112 rdx 0x140900 1313024 rsi 0x5fa900 6269184 rdi 0xa04dcc 10505676 rbp 0x10007fff7940 0x10007fff7940 rsp 0x7fffffffc930 0x7fffffffc930 r8 0x7fffffffcb64 140737488341860 r9 0x7fffffffcbe8 140737488341992 r10 0x60620000eb10 105974023121680 r11 0x7fffffffcadc 140737488341724 r12 0x7fffffffd260 140737488343648 r13 0x8 8 r14 0x10007fff7944 17594333493572 r15 0x0 0 rip 0x51fb17 0x51fb17 <huft_build+2852> eflags 0x10216 [ PF AF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 Fix: http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
added upstream fix to the 1.24.1 release
(In reply to SpanKY from comment #1) > added upstream fix to the 1.24.1 release Thanks you for the bump. Is it ready for stabilization or should we leave it in tree a little bit?
should be fine to go stable now
Arches, please test and mark stable: =sys-apps/busybox-1.24.1 Target Keywords : "amd64 arm hppa ppc ppc64 x86" Thank you!
amd64 stable
Stable for PPC64.
Stable for HPPA.
arm stable
ppc stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
So I think some of the KEYWORDS got lost through the version bumps. Looks like we might need stabilization for alpha, ia64, sparc Maintainers please advise.
should be fixed now with: http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58892cd826270f5d676679420f0edde126a9398e
vapier: Thanks for the fix GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
(In reply to Yury German from comment #13) > vapier: Thanks for the fix > GLSA Vote: No > > Maintainer(s), please drop the vulnerable version(s). Sorry wrong on my part. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
It has been 30 days since cleanup was requested. Maintainer(s), please drop the vulnerable version(s).
CVE is not going to be assigned http://www.openwall.com/lists/oss-security/2015/11/03/11
This issue was resolved and addressed in GLSA 201612-04 at https://security.gentoo.org/glsa/201612-04 by GLSA coordinator Aaron Bauman (b-man).