Debian Bug report logs - #349794
unzip: Info-ZIP UnZip File Name Buffer Overflow Vulnerability

version graph

Package: unzip; Maintainer for unzip is Santiago Vila <sanvila@debian.org>; Source for unzip is src:unzip.

Reported by: Stephen Gran <sgran@debian.org>

Date: Wed, 25 Jan 2006 10:18:36 UTC

Severity: grave

Tags: patch, security

Found in version unzip/5.52-1sarge3

Fixed in version unzip/5.52-7

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://www.info-zip.org/zip-bug.html

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unzip: Info-ZIP UnZip File Name Buffer Overflow Vulnerability
Date: Wed, 25 Jan 2006 10:10:26 +0000
[Message part 1 (text/plain, inline)]
Package: unzip
Version: 5.52-1sarge3
Severity: grave
Tags: security

http://www.securityfocus.com/bid/15968

Thanks,

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_US.ISO-8859-1, LC_CTYPE=en_US.ISO-8859-1 (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US.ISO-8859-1)

Versions of packages unzip depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an

-- no debconf information

-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #10 received at 349794@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Stephen Gran <sgran@debian.org>, 349794@bugs.debian.org
Subject: Re: Bug#349794: unzip: Info-ZIP UnZip File Name Buffer Overflow Vulnerability
Date: Wed, 25 Jan 2006 12:54:49 +0100 (CET)
On Wed, 25 Jan 2006, Stephen Gran wrote:

> Package: unzip
> Version: 5.52-1sarge3
> Severity: grave
> Tags: security
> 
> http://www.securityfocus.com/bid/15968

Why "grave" and "security"? AFAIK, this is not the case where a
malicious user gives you a .zip archive and your system get
compromised if you try to unzip it.



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #15 received at 349794@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Santiago Vila <sanvila@unex.es>
Cc: 349794@bugs.debian.org
Subject: Re: Bug#349794: unzip: Info-ZIP UnZip File Name Buffer Overflow Vulnerability
Date: Wed, 25 Jan 2006 12:03:58 +0000
[Message part 1 (text/plain, inline)]
This one time, at band camp, Santiago Vila said:
> On Wed, 25 Jan 2006, Stephen Gran wrote:
> 
> > Package: unzip
> > Version: 5.52-1sarge3
> > Severity: grave
> > Tags: security
> > 
> > http://www.securityfocus.com/bid/15968
> 
> Why "grave" and "security"? AFAIK, this is not the case where a
> malicious user gives you a .zip archive and your system get
> compromised if you try to unzip it.

Actually it appears this is exactly the case.  

http://www.securityfocus.com/bid/15968/discuss:
"This issue allows attackers to execute arbitrary machine code in the
context of users utilizing the affected application."

Granted, most of the time this will only be a local user exploit, rather
than a root level exploit, but if an application uses info-zip routines
and runs as root, it will be root level exploit.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #20 received at 349794@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Stephen Gran <sgran@debian.org>
Cc: 349794@bugs.debian.org
Subject: Re: Bug#349794: unzip: Info-ZIP UnZip File Name Buffer Overflow Vulnerability
Date: Wed, 25 Jan 2006 13:24:45 +0100 (CET)
On Wed, 25 Jan 2006, Stephen Gran wrote:

> This one time, at band camp, Santiago Vila said:
> > On Wed, 25 Jan 2006, Stephen Gran wrote:
> > 
> > > Package: unzip
> > > Version: 5.52-1sarge3
> > > Severity: grave
> > > Tags: security
> > > 
> > > http://www.securityfocus.com/bid/15968
> > 
> > Why "grave" and "security"? AFAIK, this is not the case where a
> > malicious user gives you a .zip archive and your system get
> > compromised if you try to unzip it.
> 
> Actually it appears this is exactly the case.  
> 
> http://www.securityfocus.com/bid/15968/discuss:
> "This issue allows attackers to execute arbitrary machine code in the
> context of users utilizing the affected application."

No, it's not that case.

This one is about an insanely long command line. Normally, you can't
run unzip with an arbitrary command line unless you already have local
user access.



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #25 received at 349794@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Santiago Vila <sanvila@unex.es>
Cc: 349794@bugs.debian.org
Subject: Re: Bug#349794: unzip: Info-ZIP UnZip File Name Buffer Overflow Vulnerability
Date: Wed, 25 Jan 2006 12:44:51 +0000
[Message part 1 (text/plain, inline)]
This one time, at band camp, Santiago Vila said:
> On Wed, 25 Jan 2006, Stephen Gran wrote:
> 
> > This one time, at band camp, Santiago Vila said:
> > > On Wed, 25 Jan 2006, Stephen Gran wrote:
> > > 
> > > > Package: unzip
> > > > Version: 5.52-1sarge3
> > > > Severity: grave
> > > > Tags: security
> > > > 
> > > > http://www.securityfocus.com/bid/15968
> > > 
> > > Why "grave" and "security"? AFAIK, this is not the case where a
> > > malicious user gives you a .zip archive and your system get
> > > compromised if you try to unzip it.
> > 
> > Actually it appears this is exactly the case.  
> > 
> > http://www.securityfocus.com/bid/15968/discuss:
> > "This issue allows attackers to execute arbitrary machine code in the
> > context of users utilizing the affected application."
> 
> No, it's not that case.
> 
> This one is about an insanely long command line. Normally, you can't
> run unzip with an arbitrary command line unless you already have local
> user access.

I was under the impression that the filename was part of the command
line.  So, I could send you an email with an insanely long filename zip
file attached and cause this overflow.  If I'm wrong, and the filename
isn't part of this vulnerablity (even though the title of the report is
"UnZip File Name Buffer Overflow") then feel free to downgrade it.

I am not particularly interested in an argument about it, one way or the
other.  If you feel that it's unlikely to be exploited, then handle it
as you see fit.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #30 received at 349794@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Stephen Gran <sgran@debian.org>, 349794@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#349794: unzip: Info-ZIP UnZip File Name Buffer Overflow Vulnerability
Date: Wed, 25 Jan 2006 17:01:55 +0100 (CET)
forwarded 349794 http://www.info-zip.org/zip-bug.html
thanks

On Wed, 25 Jan 2006, Stephen Gran wrote:

> Package: unzip
> Version: 5.52-1sarge3
> Severity: grave
> Tags: security
> 
> http://www.securityfocus.com/bid/15968

I have forwarded this to the authors (well, as a reminder, they already knew
about this. If I remember well, this would be fixed in 6.0d and 5.53d,
but those beta releases do not exist yet).



Noted your statement that Bug has been forwarded to http://www.info-zip.org/zip-bug.html. Request was from Santiago Vila <sanvila@unex.es> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #37 received at 349794@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: 349794@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Patch, CVE number
Date: Fri, 10 Feb 2006 20:45:50 +0100
[Message part 1 (text/plain, inline)]
tag 349794 patch
thanks

Hi!

I took a stab at this bug; granted, it's not the worst one in the
world, but it should be fixed eventually.

This is the patch I used for the Ubuntu security update:

  http://patches.ubuntu.com/patches/unzip.CVE-2005-4667.diff

It works for version 5.52; 5.51 still crashes with that patch, I will
look into this as well.

Also, this has been assigned CVE-2005-4667, please mention this number
in the changelog when you fix this.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Martin Pitt <martin.pitt@ubuntu.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin@piware.de>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #44 received at 349794@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin@piware.de>
To: 349794@bugs.debian.org
Subject: Patch for 5.51
Date: Fri, 10 Feb 2006 21:16:57 +0100
[Message part 1 (text/plain, inline)]
Hi again,

Martin Pitt [2006-02-10 20:45 +0100]:
> It works for version 5.52; 5.51 still crashes with that patch, I will
> look into this as well.

Ok, done: 5.51 does some unsafe strcpy()s in do_wild(), which are not
present any more in 5.52. Here is the 5.51 patch, maybe it is useful
for fixing woody (which has 5.50):

  http://patches.ubuntu.com/patches/unzip-5.51.CVE-2005-4667.diff

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #49 received at 349794@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Martin Pitt <martin@piware.de>
Cc: 349794@bugs.debian.org
Subject: Re: Patch for 5.51
Date: Fri, 10 Mar 2006 19:54:38 +0100 (CET)
On Fri, 10 Feb 2006, Martin Pitt wrote:

> Hi again,
> 
> Martin Pitt [2006-02-10 20:45 +0100]:
> > It works for version 5.52; 5.51 still crashes with that patch, I will
> > look into this as well.
> 
> Ok, done: 5.51 does some unsafe strcpy()s in do_wild(), which are not
> present any more in 5.52. Here is the 5.51 patch, maybe it is useful
> for fixing woody (which has 5.50):
> 
>   http://patches.ubuntu.com/patches/unzip-5.51.CVE-2005-4667.diff

Thanks a lot.

I have made a ping to the authors today, as they said this would be
fixed in a beta release which has not happened yet. If I don't get a
reply from then soon enough, I will use these patches, as this has
been open for too much time now.



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #54 received at 349794@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Martin Pitt <martin.pitt@ubuntu.com>
Cc: 349794@bugs.debian.org
Subject: Re: Patch, CVE number
Date: Wed, 15 Mar 2006 18:28:41 +0100 (CET)
On Fri, 10 Feb 2006, Martin Pitt wrote:

> I took a stab at this bug; granted, it's not the worst one in the
> world, but it should be fixed eventually.
> 
> This is the patch I used for the Ubuntu security update:
> 
>   http://patches.ubuntu.com/patches/unzip.CVE-2005-4667.diff
> 
> It works for version 5.52; [...]

Hi. I did this to test the patch:

./unzip `perl -e 'print "A" x 120000'`

and I got an error message, followed by some binary junk which
confuses the terminal to the point of needing a "reset".
This is a little bit suspicious. Are you sure the patch is ok?



Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#349794; Package unzip. Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. Full text and rfc822 format available.

Message #59 received at 349794@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Martin Pitt <martin.pitt@ubuntu.com>
Cc: 349794@bugs.debian.org
Subject: Re: Patch, CVE number
Date: Thu, 16 Mar 2006 01:49:56 +0100 (CET)
Well, after a bit of testing, I'm going to use this patch instead:

http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0117.html

which seems to work very well. The "right fix" will be in 5.53, I suppose,
but for now this is more than enough to close the hole.

[ Additionally, for 5.50, there are some strcpy in unix/unix.c which
  have to be changed to strncpy, as you pointed out ].



Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stephen Gran <sgran@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #64 received at 349794-close@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@debian.org>
To: 349794-close@bugs.debian.org
Subject: Bug#349794: fixed in unzip 5.52-7
Date: Thu, 16 Mar 2006 02:02:11 -0800
Source: unzip
Source-Version: 5.52-7

We believe that the bug you reported is fixed in the latest version of
unzip, which is due to be installed in the Debian FTP archive:

unzip_5.52-7.diff.gz
  to pool/main/u/unzip/unzip_5.52-7.diff.gz
unzip_5.52-7.dsc
  to pool/main/u/unzip/unzip_5.52-7.dsc
unzip_5.52-7_powerpc.deb
  to pool/main/u/unzip/unzip_5.52-7_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349794@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated unzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 16 Mar 2006 10:31:20 +0100
Source: unzip
Binary: unzip
Architecture: source powerpc
Version: 5.52-7
Distribution: unstable
Urgency: medium
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description: 
 unzip      - De-archiver for .zip files
Closes: 349794
Changes: 
 unzip (5.52-7) unstable; urgency=medium
 .
   * Fixed buffer overflow when insanely long filenames are given on the
     command line. Patch from Johnny Lee. Changed some format strings so
     that they use 512 characters at most. The "right" fix will be in 5.53,
     but this should work well enough for now. Closes: #349794.
   * This is CVE-2005-4667.
Files: 
 40168d21a5f2ff55e13d205e788099da 519 utils optional unzip_5.52-7.dsc
 a4108541e834e3d9e9b3d0b39f4325b1 10797 utils optional unzip_5.52-7.diff.gz
 345a81de994ab7f7403920049a214978 162454 utils optional unzip_5.52-7_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEGTEYd9Uuvj7yPNYRAhWDAJ0bIBTuJVnttO6Ok0vfW1DdFDXcdgCgufCo
ll7tK2wsoAPDPwNWBDLsgqg=
=sisv
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 05:55:22 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:47:44 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:51:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 17:03:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.