libzip: libzip-discuss: libzip-0.10.1 security fix release

Thread

Thread Index

Message

From: Thomas Klausner <tk%giga.or.at@localhost>
To: libzip-discuss%nih.at@localhost
Subject: libzip-0.10.1 security fix release
Date: Tue, 20 Mar 2012 15:41:00 +0100

Hi!

I've just released libzip-0.10.1, available as usual at
     http://www.nih.at/libzip/

The changes to the previous version, 0.10, are very small, since this
is a security fix prompted by two issues reported by Timo Warns
<warns%pre-sense.de@localhost> (Thanks again, Timo!).

These vulnerabilities have been assigned CVE-2012-1162 and
CVE-2012-1163.

Timo's description of the problem follows:

Incorrect loop construct in libzip (<= 0.10)
--------------------------------------------

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files. The Ruby binding
zipruby (version <= 0.3.6) is also affected by the vulnerability as it
includes a copy of libzip.

On opening a zip file with zip_open, libzip reads in the number of
directory entries in the function _zip_readcdir in zip_open.c:

(192)    /* number of cdir-entries */
(193)    nentry = _zip_read2(&cdp);

Subsequently, memory for directory entries is allocated via
_zip_cdir_new (in zip_dirent.c) based on the number of directory
entries:

(104)    if ((cd->entry=(struct zip_dirent
*)malloc(sizeof(*(cd->entry))*nentry))

If the number of directories in the zip file is set to 0, 0 bytes of
memory are allocated.

_zip_readcdir finishes with reading in the directory entries in a posttest
do-while loop:

(260)    do {
(261)        if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0,
error)) < 0) {
         ...
(277)    } while (i<cd->nentry && left > 0);

If cd->entry points to 0 bytes of allocated memory, _zip_dirent writes
beyond the allocated memory.



Numeric overflow in libzip (<= 0.10) and zipruby (<=0.3.6)
----------------------------------------------------------

libzip (version <= 0.10) has a numeric overflow condition, which, for
example, results in improper restrictions of operations within the bounds
of a memory buffer. The Ruby binding zipruby (version <= 0.3.6) is also
affected by the vulnerability as it includes a copy of libzip.

On opening a zip file with zip_open, libzip reads in the size and the
offset of the central directory structure in the function _zip_readcdir
in zip_open.c:

(198)    cd->size = _zip_read4(&cdp);
(199)    cd->offset = _zip_read4(&cdp);

libzip performs a consistency check on these values, but does not
anticipate an integer overflow:

(203)    if (cd->offset+cd->size > buf_offset + (eocd-buf)) {

On an integer overflow, libzip continues to handle the zip file, which,
for example, can result in improper restriction of operations within the
bounds of a memory buffer.





If you're using, embedding, or packaging libzip, please upgrade to the
latest version.

Another libzip release with UTF-8 and zip64 support is planned for the
next months.

All the best,
 Thomas

Made by MHonArc.