Re: [Secure-testing-team] Bug#847485: unzip: CVE-2014-9913: buffer oveflowin "unzip -l" via list_files() in list.c

[Santiago Vila]

forwarded 847485 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
thanks

On Thu, 8 Dec 2016, Salvatore Bonaccorso wrote:

> Source: unzip
> Version: 6.0-16
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerability was published for unzip.
> 
> CVE-2014-9913[0]:
> Buffer overflow in "unzip -l" via list_files() in list.c

And this is where I'm in doubt.

I could do the same as in the other CVE, and it would result in a patch
like the first one I attach.

But the end result is a little big ugly to my taste and I would prefer
that Unknown compression methods are always expressed in hexadecimal,
no matter what, as in the second patch attached.

So I've asked the author about what he will do in the phpbb thread
at the top.

BTW: It took me a while to realize how the two CVE are different
indeed, even if "unzip -l" and "zipinfo" are "equivalent" and the
programs themselves are hardlinked. Hopefully by looking at the
patches it should be clear where the bugs are exactly.

Thanks a lot.
--- a/list.c
+++ b/list.c
@@ -339,7 +339,14 @@ int list_files(__G)    /* return PK-type error code */
                 G.crec.compression_method == ENHDEFLATED) {
                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
             } else if (methnum >= NUM_METHODS) {
-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
+                /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
+                 * Use the old decimal format only for values which fit.
+                 */
+                if (G.crec.compression_method <= 999) {
+                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
+                } else {
+                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
+                }
             }
 
 #if 0       /* GRR/Euro:  add this? */

--- a/list.c
+++ b/list.c
@@ -339,7 +339,7 @@ int list_files(__G)    /* return PK-type error code */
                 G.crec.compression_method == ENHDEFLATED) {
                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
             } else if (methnum >= NUM_METHODS) {
-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
+                sprintf(&methbuf[0], "U0x%04X", G.crec.compression_method);
             }
 
 #if 0       /* GRR/Euro:  add this? */

_______________________________________________
Secure-testing-team mailing list
Secure-testing-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team