Launchpad has imported 6 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=431438.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2008-02-04T15:16:58+00:00 Tomas wrote: Tavis Ormandy has discovered a flaw in unzip that can cause unzip to attempt to free() memory block pointed to by uninitialized pointer or memory block, which was already freed. This can cause unzip to crash (SEGV) during extraction of malicious zip file, possibly allowing code execution. Further details from Tavis: the inflate_dynamic() routine (~978, inflate.c) uses a macro NEEDBITS() that jumps execution to a cleanup routine on error, this routine attempts to free() two buffers allocated during the inflate process. At certain locations, the NEEDBITS() macro is used while the pointers are not pointing to valid buffers, they are either uninitialised or pointing inside a block that has already been free()d (ie, not pointing at the block, but at a location inside it). Acknowledgements: Red Hat would like to thank Tavis Ormandy of the Google Security Team for reporting this issue. Reply at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/0 ------------------------------------------------------------------------ On 2008-02-04T15:20:50+00:00 Tomas wrote: Created attachment 293893 Patch against 5.5.2 proposed by Tavis Reply at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/1 ------------------------------------------------------------------------ On 2008-03-07T13:35:22+00:00 Josh wrote: This flaw is a crash only on Red Hat Enterprise Linux 4 and 5, as glibc will not allow a free on an invalid pointer. Reply at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/2 ------------------------------------------------------------------------ On 2008-03-18T07:30:08+00:00 Tomas wrote: Public now: http://taviso.decsystem.org/research.html https://issues.rpath.com/browse/RPL-2317 http://marc.info/?l=full-disclosure&m=120579856512587&w=4 Reply at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/3 ------------------------------------------------------------------------ On 2008-03-18T07:55:10+00:00 Tomas wrote: Issue is also caught on Fedora 7/8 by malloc/free checks, only causing client application DoS, which is not considered a security issue. I've filed tracking bug for rawhide, so that this issue is addressed in future Fedora and Red Hat Enterprise Linux versions. Reply at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/4 ------------------------------------------------------------------------ On 2008-07-25T08:27:58+00:00 Red wrote: This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0196.html Reply at: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/comments/8 ** Changed in: unzip (Fedora) Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/203461 Title: [unzip] [CVE-2008-0888] potential code execution To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/203461/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
