zziplib: assertion failure in seeko.c

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an a NULL pointer access.

The complete ASan output:

# unzzipcat-seeko $FILE
/tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:313: ZZIP_ENTRY *zzip_entry_findfirst(FILE *): Assertion `0 <= root && root < mapsize' failed.

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5981

Reproducer:
https://github.com/asarubbo/poc/blob/master/00161-zziplib-assertionfailure-seeko_C

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c

This entry was posted in advisories, security. Bookmark the permalink.

One Response to zziplib: assertion failure in seeko.c

  1. Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.