Debian Bug report logs - #279867
zip: Possibly security relevant buffer overflow (CAN-2004-1010)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zip: Possibly security relevant buffer overflow (CAN-2004-1010)

Date: Fri, 5 Nov 2004 14:50:40 +0100

[Message part 1 (text/plain, inline)]

Package: zip
Version: 2.30-6
Severity: important
Tags: security patch

Hi!

CAN-2004-1010 describes a buffer overflow in zip, when it processes
very long file names. Details are at 

  http://lists.netsys.com/pipermail/full-disclosure/2004-November/028379.html

I prepared an updated Ubuntu package which fixes the segfault and
exits the program cleanly instead. The interdiff is at

  http://patches.ubuntulinux.org/patches/zip.CAN-2004-1010.diff

I don't think that severity "grave" is appropriate, so I used
important. Raise the severity if you disagree.

Thanks for considering and have a nice day!

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8

Versions of packages zip depends on:
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared libraries an

-- no debconf information

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Martin Pitt <mpitt@debian.org>

Cc: 279867@bugs.debian.org

Subject: Re: zip: Possibly security relevant buffer overflow (CAN-2004-1010)

Date: Sun, 7 Nov 2004 18:12:27 +0100 (CET)

On Fri, 5 Nov 2004, Martin Pitt wrote:

> Package: zip
> Version: 2.30-6
> Severity: important
> Tags: security patch
> 
> Hi!
> 
> CAN-2004-1010 describes a buffer overflow in zip, when it processes
> very long file names. Details are at 
> 
>   http://lists.netsys.com/pipermail/full-disclosure/2004-November/028379.html
> 
> I prepared an updated Ubuntu package which fixes the segfault and
> exits the program cleanly instead. The interdiff is at
> 
>   http://patches.ubuntulinux.org/patches/zip.CAN-2004-1010.diff
> 
> I don't think that severity "grave" is appropriate, so I used
> important. Raise the severity if you disagree.

Thanks a lot for the report. I will try to contact upstream about this
(they have now a web page instead of an email address).

Message #15 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Martin Pitt <mpitt@debian.org>

Cc: 279867@bugs.debian.org, control@bugs.debian.org

Subject: Re: zip: Possibly security relevant buffer overflow (CAN-2004-1010)

Date: Wed, 10 Nov 2004 18:10:42 +0100 (CET)

forwarded 279867 http://www.info-zip.org/zip-bug.html
thanks

I have filled the above form with the following text:

--------------------------------------------------------------
Hello.

I've received the following report from the Debian bug system:

http://bugs.debian.org/279867

Please reply to 279867@bugs.debian.org.
--------------------------------------------------------------

Message #22 received at 279867-close@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@debian.org>

To: 279867-close@bugs.debian.org

Subject: Bug#279867: fixed in zip 2.30-7

Date: Wed, 10 Nov 2004 13:32:23 -0500

Source: zip
Source-Version: 2.30-7

We believe that the bug you reported is fixed in the latest version of
zip, which is due to be installed in the Debian FTP archive:

zip_2.30-7.diff.gz
  to pool/main/z/zip/zip_2.30-7.diff.gz
zip_2.30-7.dsc
  to pool/main/z/zip/zip_2.30-7.dsc
zip_2.30-7_i386.deb
  to pool/main/z/zip/zip_2.30-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 279867@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated zip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 10 Nov 2004 19:10:28 +0100
Source: zip
Binary: zip
Architecture: source i386
Version: 2.30-7
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description: 
 zip        - Archiver for .zip files
Closes: 279867
Changes: 
 zip (2.30-7) unstable; urgency=medium
 .
   * Fixed buffer overflow in unix.c, which happens when creating archives
     with very long file names (Closes: #279867). This is CAN-2004-1010.
     Patch by Martin Pitt, gives an error if len >= FNMAX. Thanks a lot.
Files: 
 cf4a42feab2ebdeda189e8ed4ac352bc 551 utils optional zip_2.30-7.dsc
 d3370faf0c4f9461cb6aaa0d600e3c5d 15635 utils optional zip_2.30-7.diff.gz
 aecf785102ace01baf19df374667bed1 88672 utils optional zip_2.30-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBklnzd9Uuvj7yPNYRAss7AKCkpzMdwjAvAbIKodQh7Fxit3XEEQCcD+rP
49/nIjz0ciroCr/CcM30rek=
=WwMd
-----END PGP SIGNATURE-----

Message #27 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>

To: 279867@bugs.debian.org

Subject: Is woody impacted as well?

Date: Fri, 12 Nov 2004 17:10:48 +0100

[Message part 1 (text/plain, inline)]

Hello,
is woody impacted as well (and if so, is a package under way)? Maybe
this bug should be re-opened and tagged woody?

I used the procedure explained in
http://lists.netsys.com/pipermail/full-disclosure/2004-November/028379.html

(I could not create 256 character directories, so I used 9 levels with
255 characters, and entered the first), and running the zip command in
gdb I get:

(gdb) set args -r file.zip *
(gdb) run
Starting program: /usr/bin/zip -r file.zip *
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x0805109e in error ()
(gdb) where
#0  0x0805109e in error ()
#1  0x61616161 in ?? ()
Cannot access memory at address 0x61616161

So to me woody looks impacted!

Greetings

         Helge
-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 279867@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#279867: Is woody impacted as well?

Date: Fri, 12 Nov 2004 18:30:20 +0100 (CET)

On Fri, 12 Nov 2004, Helge Kreutzmann wrote:

> Hello,
> is woody impacted as well (and if so, is a package under way)? Maybe
> this bug should be re-opened and tagged woody?
> 
> I used the procedure explained in
> http://lists.netsys.com/pipermail/full-disclosure/2004-November/028379.html
> 
> (I could not create 256 character directories, so I used 9 levels with
> 255 characters, and entered the first), and running the zip command in
> gdb I get:
> 
> (gdb) set args -r file.zip *
> (gdb) run
> Starting program: /usr/bin/zip -r file.zip *
> (no debugging symbols found)...(no debugging symbols found)...
> Program received signal SIGSEGV, Segmentation fault.
> 0x0805109e in error ()
> (gdb) where
> #0  0x0805109e in error ()
> #1  0x61616161 in ?? ()
> Cannot access memory at address 0x61616161
> 
> So to me woody looks impacted!

Yes, but this is only a problem if you zip files and directories not
owned by yourself, so I'm not sure about how serious it is.

Security team: Should I upload a fixed package for stable too?

Message #37 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Santiago Vila <sanvila@unex.es>

Cc: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 279867@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#279867: Is woody impacted as well?

Date: Fri, 12 Nov 2004 12:13:08 -0800

On Fri, Nov 12, 2004 at 06:30:20PM +0100, Santiago Vila wrote:

> On Fri, 12 Nov 2004, Helge Kreutzmann wrote:
> > #1  0x61616161 in ?? ()
> > Cannot access memory at address 0x61616161
> > 
> > So to me woody looks impacted!
> 
> Yes, but this is only a problem if you zip files and directories not
> owned by yourself, so I'm not sure about how serious it is.
> 
> Security team: Should I upload a fixed package for stable too?

Since a reasonable application of zip is to perform some types of backups,
yes, I think it is appropriate.

-- 
 - mdz

Message #42 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Santiago Vila <sanvila@unex.es>, Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 279867@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#279867: Is woody impacted as well?

Date: Sat, 13 Nov 2004 07:52:19 +0100

Matt Zimmerman wrote:
> On Fri, Nov 12, 2004 at 06:30:20PM +0100, Santiago Vila wrote:
> 
> > On Fri, 12 Nov 2004, Helge Kreutzmann wrote:
> > > #1  0x61616161 in ?? ()
> > > Cannot access memory at address 0x61616161
> > > 
> > > So to me woody looks impacted!
> > 
> > Yes, but this is only a problem if you zip files and directories not
> > owned by yourself, so I'm not sure about how serious it is.
> > 
> > Security team: Should I upload a fixed package for stable too?
> 
> Since a reasonable application of zip is to perform some types of backups,
> yes, I think it is appropriate.

The impact is very low.

Are you going to handle this?  If not, I'll need to add it to my list.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.

Message #47 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Martin Schulze <joey@infodrom.org>

Cc: Santiago Vila <sanvila@unex.es>, Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 279867@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#279867: Is woody impacted as well?

Date: Fri, 12 Nov 2004 23:04:33 -0800

On Sat, Nov 13, 2004 at 07:52:19AM +0100, Martin Schulze wrote:

> Matt Zimmerman wrote:
> > On Fri, Nov 12, 2004 at 06:30:20PM +0100, Santiago Vila wrote:
> > 
> > > On Fri, 12 Nov 2004, Helge Kreutzmann wrote:
> > > > #1  0x61616161 in ?? ()
> > > > Cannot access memory at address 0x61616161
> > > > 
> > > > So to me woody looks impacted!
> > > 
> > > Yes, but this is only a problem if you zip files and directories not
> > > owned by yourself, so I'm not sure about how serious it is.
> > > 
> > > Security team: Should I upload a fixed package for stable too?
> > 
> > Since a reasonable application of zip is to perform some types of backups,
> > yes, I think it is appropriate.
> 
> The impact is very low.
> 
> Are you going to handle this?  If not, I'll need to add it to my list.

Patches are available and the package is already prepared, no?

-- 
 - mdz

Message #52 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Santiago Vila <sanvila@unex.es>, Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 279867@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#279867: Is woody impacted as well?

Date: Sat, 13 Nov 2004 09:34:46 +0100

Matt Zimmerman wrote:
> > > Since a reasonable application of zip is to perform some types of backups,
> > > yes, I think it is appropriate.
> > 
> > The impact is very low.
> > 
> > Are you going to handle this?  If not, I'll need to add it to my list.
> 
> Patches are available and the package is already prepared, no?

Yes.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Message #57 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Martin Schulze <joey@infodrom.org>

Cc: Santiago Vila <sanvila@unex.es>, Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 279867@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#279867: Is woody impacted as well?

Date: Sat, 13 Nov 2004 09:56:50 -0800

On Sat, Nov 13, 2004 at 09:34:46AM +0100, Martin Schulze wrote:

> Matt Zimmerman wrote:
> > > > Since a reasonable application of zip is to perform some types of backups,
> > > > yes, I think it is appropriate.
> > > 
> > > The impact is very low.
> > > 
> > > Are you going to handle this?  If not, I'll need to add it to my list.
> > 
> > Patches are available and the package is already prepared, no?
> 
> Yes.

I will take care of the advisory.

-- 
 - mdz

Message #62 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Greg Roelofs <newt@pobox.com>

To: qtopic+27-V6ZQZ54uKNL@quicktopic.com

Cc: 279867@bugs.debian.org, auscert@auscert.org.au, bressers@redhat.com, ulf.harnhammar.9485@student.uu.se, volkerdi@slackware.com

Subject: patch: Buffer overflow in zip 2.3

Date: Sun, 14 Nov 2004 18:36:26 -0800

A buffer overflow bug in Zip 2.3 has been reported on various security
lists; it is referred to as CAN-2004-1010 and could affect systems that
use Zip to perform automated backups of untrusted user data, for example.

I've uploaded a proposed patch to the beta area:

    ftp://ftp.info-zip.org/pub/infozip/OLD/beta/zip-2.3-CAN-2004-1010-fix.dif
or
    http://ftp.info-zip.org/pub/infozip/OLD/beta/zip-2.3-CAN-2004-1010-fix.dif

It's based on one by Josh Bressers (Red Hat Security Response Team) and
works under Linux.  Please compile and test it, particularly on non-Unix
systems, and report successes and failures here (or to me) as soon as
possible.  I'd like to move the patch to the Info-ZIP public source
directory within two weeks.

Thanks,
  Greg

P.S.  I may not reply immediately (or at all, depending), but I'll do my
      best to fix problems and incorporate improvements (if any).

Message #67 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>

To: 279867@bugs.debian.org

Cc: control@bugs.debian.org, mdz@debian.org

Subject: No advisory on zip (CAN-2004-1010) out yet

Date: Mon, 6 Dec 2004 16:30:05 +0100

[Message part 1 (text/plain, inline)]

reopen 279867
tags 279867 = security, woody
thanks

The last entry in this bug report was that an advisory will be taken
care of (for woody) (Nov. 13th). To make sure this is not lost I
reopen this bug accordingly with the proper patches.

Greetings

          Helge
-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/

[Message part 2 (application/pgp-signature, inline)]

Message #76 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>

To: 279867@bugs.debian.org

Subject: Sorry, patches -> tags

Date: Mon, 6 Dec 2004 16:44:34 +0100

[Message part 1 (text/plain, inline)]

Hello,
sorry for the wrong wording: s/patches/tags/ in my last mail.

Greetings

       Helge
-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/

[Message part 2 (application/pgp-signature, inline)]

Message #81 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: team@security.debian.org

Cc: 279867@bugs.debian.org

Subject: Re: No advisory on zip (CAN-2004-1010) out yet

Date: Tue, 21 Dec 2004 00:15:36 +0100 (CET)

Security team:

It was several weeks ago that I uploaded zip_2.30-5woody1 for stable-security
to fix this bug in stable.

In case the upload was lost, I have a copy in my home directory in gluck,
directory "zip".

If there is anything else I can/should do, please say so.

Thanks.

Message #86 received at 279867-done@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 279867-done@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#279867: No advisory on zip (CAN-2004-1010) out yet

Date: Wed, 5 Jan 2005 13:31:44 +0100 (CET)

On Mon, 6 Dec 2004, Helge Kreutzmann wrote:

> reopen 279867
> tags 279867 = security, woody
> thanks
> 
> The last entry in this bug report was that an advisory will be taken
> care of (for woody) (Nov. 13th). To make sure this is not lost I
> reopen this bug accordingly with the proper patches.

zip_2.30-5woody2 is now in security.debian.org (DSA 624-1).

Closing this report.

Message #91 received at 279867@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Santiago Vila <sanvila@unex.es>

Cc: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 279867@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#279867: No advisory on zip (CAN-2004-1010) out yet

Date: Wed, 5 Jan 2005 15:15:21 +0100

Santiago Vila wrote:
> On Mon, 6 Dec 2004, Helge Kreutzmann wrote:
> 
> > reopen 279867
> > tags 279867 = security, woody
> > thanks
> > 
> > The last entry in this bug report was that an advisory will be taken
> > care of (for woody) (Nov. 13th). To make sure this is not lost I
> > reopen this bug accordingly with the proper patches.
> 
> zip_2.30-5woody2 is now in security.debian.org (DSA 624-1).
> 
> Closing this report.

Yes, thanks.  Sorry for the long delay.

Regards,

	Joey

-- 
The only stupid question is the unasked one.

Please always Cc to me when replying to me on the lists.

Send a report that this bug log contains spam.