zziplib: NULL pointer dereference in prescan_entry (fseeko.c)

Posted on February 9, 2017 by ago

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

The unzzipcat-seeko utility provided by the package, by default, without any crafted zip shows a NULL pointer access. For completeness I’m attaching my reproducer.

The complete ASan output:

# unzzipcat-seeko $FILE
==3376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041f8da bp 0xbebebebebebebeae sp 0x7ffe6020c2a0 T0)                                                                                                                                         
==3376==The signal is caused by a READ memory access.                                                                                                                                                                                                                          
==3376==Hint: address points to the zero page.                                                                                                                                                                                                                                 
    #0 0x41f8d9 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:550                                                          
    #1 0x41f8d9 in __asan::asan_realloc(void*, unsigned long, __sanitizer::BufferedStackTrace*) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:748                                                                   
    #2 0x4d29a1 in __interceptor_realloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:85                                                                                                                        
    #3 0x7f21bce0f146 in prescan_entry /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:189:25                                                                                                                                                      
    #4 0x7f21bce0f146 in zzip_entry_findfirst /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:324                                                                                                                                                  
    #5 0x509cb3 in main /tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/bins/unzzipcat-seeko.c:79:22                                                                                                                                                             
    #6 0x7f21bbf5261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #7 0x4197e8 in _init (/usr/bin/unzzipcat-seeko+0x4197e8)                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_allocator.cc:550 in __asan::Allocator::Reallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*)                                          
==3376==ABORTING

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5979

Reproducer:
https://github.com/asarubbo/poc/blob/master/00157-zziplib-nullptr-prescan_entry

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with Address Sanitizer.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c

This entry was posted in advisories, security. Bookmark the permalink.

One Response to zziplib: NULL pointer dereference in prescan_entry (fseeko.c)

  1. Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.