[Bug 1824530] [NEW] Heap Buffer Overflow in UzpPassword

Launchpad Bug Tracker Fri, 12 Apr 2019 12:01:39 -0700

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Mike Salvatore 
(mikesalvatore):


Distributor ID: Ubuntu
Description:    Ubuntu 18.04.2 LTS
Release:        18.04
Codename:       bionic

unzip:
  Installed: 6.0-21ubuntu1
  Candidate: 6.0-21ubuntu1

The current version of unzip will crash with a heap overflow. I have
attached crash.zip to reproduce the issue. Normal unpacking or testing
the archive with -t argument is enough to trigger the bug. This is the
only place that I have reported the issue to.

ASAN:
==13994==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x62500000490f at pc 0x7f6f788eb8f9 bp 0x7ffd1c67ec30 sp 0x7ffd1c67e3c0
WRITE of size 8210 at 0x62500000490f thread T0
    #0 0x7f6f788eb8f8 in __interceptor_vsprintf 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)
    #1 0x7f6f788ebc86 in __interceptor_sprintf 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)
    #2 0x55b5a10ccc87 in UzpPassword fileio.c:1594
    #3 0x55b5a1097ddb in decrypt crypt.c:513
    #4 0x55b5a10b6f2e in extract_or_test_entrylist extract.c:1284
    #5 0x55b5a10b6f2e in extract_or_test_files extract.c:586
    #6 0x55b5a1101f24 in do_seekable process.c:987
    #7 0x55b5a1108e56 in process_zipfiles process.c:401
    #8 0x55b5a1093566 in unzip unzip.c:1278
    #9 0x7f6f7826db96 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x55b5a108afb9 in _start (/home/user/unzip-asan/unzip-6.0/unzip+0x17fb9)

0x62500000490f is located 0 bytes to the right of 8207-byte region 
[0x625000002900,0x62500000490f)
allocated by thread T0 here:
    #0 0x7f6f7892bb50 in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55b5a10ccbfc in UzpPassword fileio.c:1593

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) in __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x0c4a7fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff88f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8920: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13994==ABORTING

GDB:
*** buffer overflow detected ***: /home/user/unzip-dbg/unzip-6.0/unzip 
terminated

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7814801 in __GI_abort () at abort.c:79
#2  0x00007ffff785d897 in __libc_message (action=action@entry=(do_abort | 
do_backtrace), 
    fmt=fmt@entry=0x7ffff798a988 "*** %s ***: %s terminated\n") at 
../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff7908cff in __GI___fortify_fail_abort 
(need_backtrace=need_backtrace@entry=true, 
    msg=msg@entry=0x7ffff798a905 "buffer overflow detected") at 
fortify_fail.c:33
#4  0x00007ffff7908d21 in __GI___fortify_fail (msg=msg@entry=0x7ffff798a905 
"buffer overflow detected")
    at fortify_fail.c:44
#5  0x00007ffff7906a10 in __GI___chk_fail () at chk_fail.c:28
#6  0x00007ffff7905f29 in _IO_str_chk_overflow (fp=<optimized out>, 
c=<optimized out>) at vsprintf_chk.c:31
#7  0x00007ffff7862494 in __GI__IO_default_xsputn (f=0x7fffffffd8b0, 
data=<optimized out>, n=11)
    at genops.c:417
#8  0x00007ffff782f9aa in _IO_vfprintf_internal (s=s@entry=0x7fffffffd8b0, 
    format=format@entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ", 
ap=ap@entry=0x7fffffffd9f0)
    at vfprintf.c:1674
#9  0x00007ffff7905fcb in ___vsprintf_chk (
    s=0x5555558902e0 "[crash.zip] 
dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=1, slen=8207, 
format=0x555555578b90 <PasswPrompt> "[%s] %s password: ", 
    args=args@entry=0x7fffffffd9f0) at vsprintf_chk.c:82
#10 0x00007ffff7905efa in ___sprintf_chk (
    s=s@entry=0x5555558902e0 "[crash.zip] 
dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=flags@entry=1, 
slen=slen@entry=8207, 
    format=format@entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ") at 
sprintf_chk.c:31
#11 0x0000555555562c95 in sprintf (__fmt=<synthetic pointer>, 
    __s=0x5555558902e0 "[crash.zip] 
dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"...) at 
/usr/include/x86_64-linux-gnu/bits/stdio2.h:33
#12 UzpPassword (pG=<optimized out>, rcnt=<optimized out>, pwbuf=0x555555890280 
'\a' <repeats 88 times>, "! ", 
    size=81, zfn=0x5555558715c0 <G+988384> "crash.zip", 
    efn=0x555555870420 <G+983872> "dri", '\a' <repeats 197 times>...) at 
fileio.c:1594
---Type <return> to continue, or q <return> to quit---
#13 0x000055555555adf3 in decrypt (passwrd=<optimized out>) at crypt.c:513
#14 0x000055555555de54 in extract_or_test_entrylist (numchunk=numchunk@entry=1, 
    pfilnum=pfilnum@entry=0x7fffffffdc58, 
pnum_bad_pwd=pnum_bad_pwd@entry=0x7fffffffdc60, 
    pold_extra_bytes=pold_extra_bytes@entry=0x7fffffffdc68, 
pnum_dirs=pnum_dirs@entry=0x7fffffffdc54, 
    pdirlist=pdirlist@entry=0x7fffffffdc70, error_in_archive=51) at 
extract.c:1284
#15 0x0000555555560488 in extract_or_test_files () at extract.c:586
#16 0x00005555555682b2 in do_seekable (lastchance=lastchance@entry=0) at 
process.c:987
#17 0x00005555555691f7 in process_zipfiles () at process.c:401
#18 0x000055555555a58e in unzip (argc=<optimized out>, argv=<optimized out>) at 
unzip.c:1278
#19 0x00007ffff77f5b97 in __libc_start_main (main=0x555555558190 <main>, 
argc=3, argv=0x7fffffffdf28, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
stack_end=0x7fffffffdf18)
    at ../csu/libc-start.c:310
#20 0x00005555555581da in _start ()

** Affects: unzip (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Heap Buffer Overflow in UzpPassword
https://bugs.launchpad.net/bugs/1824530
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1824530] [NEW] Heap Buffer Overflow in UzpPassword

Reply via email to