Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 213761 (CVE-2008-0888)

Summary: app-arch/unzip <5.52-r2 Double free vulnerability (CVE-2008-0888)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hanno
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
unzip-5.5.2-CVE-2008-0888.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 01:32:50 UTC 
Tavis Ormandy writes:

the inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).

In both cases, the possibility of controlling either the pointer (eg,
by altering the unitialized data on the stack left over from some
previous subroutine call), or the buffer pointed at by the pointer, is
small but perhaps non-zero.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 01:34:02 UTC 
base-system, please find the patch attached. No upstream bump to be expected, smithj tried contacting them without success.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 01:34:49 UTC 
Created attachment 146443 [details, diff]
unzip-5.5.2-CVE-2008-0888.patch

Courtesy of Tavis
Comment 3 Jonathan Smith (RETIRED) gentoo-dev 2008-03-18 04:44:31 UTC 
(In reply to comment #1)
> smithj tried contacting them without success.

Yeah. Actually, if anyone has a contact for them, please pass this info along!
Comment 4 SpanKY gentoo-dev 2008-03-18 11:28:10 UTC 
i'd drop the last two hunks of that patch as one is simply whitespace change and the other is redundant -- huft_free() already performs the if(NULL) test
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 12:16:54 UTC 
(In reply to comment #4)
> i'd drop the last two hunks of that patch as one is simply whitespace change
> and the other is redundant -- huft_free() already performs the if(NULL) test

sounds good, taviso complained about losing performance though ;-)
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 21:13:08 UTC 
spanky, any updates here?
Comment 7 SpanKY gentoo-dev 2008-03-29 02:37:54 UTC 
added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into the issue to verify correctness of the patch
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-03-29 10:04:45 UTC 
(In reply to comment #7)
> added unzip-5.5.2-r2 to the tree w/the patch ... not that i really looked into
> the issue to verify correctness of the patch

Couldn't reproduce the error with taviso's PoC.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-03-29 10:05:17 UTC 
Arches, please test and mark stable:
=app-arch/unzip-5.52-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-03-29 10:12:43 UTC 
amd64 stable
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-29 11:15:45 UTC 
x86 stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2008-03-29 15:33:03 UTC 
ppc and ppc64 done
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-03-29 16:06:31 UTC 
alpha/ia64/sparc stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-29 16:57:02 UTC 
Stable for HPPA.
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-03-30 11:41:42 UTC 
Fixed in release snapshot.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-04-06 17:20:59 UTC 
GLSA 200804-06.