Bug#664990: libzip1: CVE-2012-1162 CVE-2012-1163 Incorrect loop construct and numeric overflow

Wed, 28 Mar 2012 12:36:19 -0700 

Package: libzip
Version: 0.10-1
Followup-For: Bug #664990
User: [email protected]
Usertags: origin-ubuntu precise ubuntu-patch



*** /tmp/tmpvDE7OS/bug_body
In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: arbitrary code execution or information leak via
    heap overflow and numeric overflow.
    - debian/patches/CVE-2012-116x.patch: fix overflow and loop in
      lib/zip_open.c.
    - CVE-2012-1162
    - CVE-2012-1163


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise-proposed'), (500, 'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-20-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru libzip-0.10/debian/changelog libzip-0.10/debian/changelog
diff -Nru libzip-0.10/debian/patches/CVE-2012-116x.patch libzip-0.10/debian/patches/CVE-2012-116x.patch
--- libzip-0.10/debian/patches/CVE-2012-116x.patch	1969-12-31 19:00:00.000000000 -0500
+++ libzip-0.10/debian/patches/CVE-2012-116x.patch	2012-03-28 15:09:02.000000000 -0400
@@ -0,0 +1,35 @@
+Description: fix arbitrary code execution or information leak via
+ heap overflow and numeric overflow
+Origin: upstream, http://hg.nih.at/libzip?cs=cb69d6146a09
+
+Index: libzip-0.10/lib/zip_open.c
+===================================================================
+--- libzip-0.10.orig/lib/zip_open.c	2011-03-16 07:18:44.000000000 -0400
++++ libzip-0.10/lib/zip_open.c	2012-03-28 15:04:52.785990360 -0400
+@@ -200,7 +200,7 @@
+     cd->comment = NULL;
+     cd->comment_len = _zip_read2(&cdp);
+ 
+-    if (cd->offset+cd->size > buf_offset + (eocd-buf)) {
++    if (((zip_uint64_t)cd->offset)+cd->size > buf_offset + (eocd-buf)) {
+ 	/* cdir spans past EOCD record */
+ 	_zip_error_set(error, ZIP_ER_INCONS, 0);
+ 	cd->nentry = 0;
+@@ -257,7 +257,7 @@
+ 
+     left = cd->size;
+     i=0;
+-    do {
++    while (i<cd->nentry && left > 0) {
+ 	if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
+ 	    cd->nentry = i;
+ 	    _zip_cdir_free(cd);
+@@ -274,7 +274,7 @@
+ 		return NULL;
+ 	    }
+ 	}
+-    } while (i<cd->nentry && left > 0);
++    }
+ 
+     cd->nentry = i;
+     
diff -Nru libzip-0.10/debian/patches/series libzip-0.10/debian/patches/series
--- libzip-0.10/debian/patches/series	2011-05-01 10:50:49.000000000 -0400
+++ libzip-0.10/debian/patches/series	2012-03-28 15:03:20.000000000 -0400
@@ -1,2 +1,3 @@
 fix_open_nonarchive_test.patch
 fix_zipconf_path.patch
+CVE-2012-116x.patch

Reply via email to