{"id":1233,"date":"2017-02-09T15:38:38","date_gmt":"2017-02-09T13:38:38","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1233"},"modified":"2017-02-14T11:22:42","modified_gmt":"2017-02-14T09:22:42","slug":"zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/09\/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c\/","title":{"rendered":"zziplib: heap-based buffer overflow in __zzip_get64 (fetch.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/zziplib.sourceforge.net\/\">zziplib<\/a> is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.<\/p>\n<p>A fuzz on it discovered an heap overflow.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># unzzipcat-mem $FILE\r\nREAD of size 1 at 0x60400000dff3 thread T0\r\n    #0 0x7ff28ab675dc in __zzip_get64 \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/fetch.c:59:10\r\n    #1 0x7ff28ab64968 in zzip_mem_entry_new \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:221:30\r\n    #2 0x7ff28ab64968 in zzip_mem_disk_load \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:137\r\n    #3 0x7ff28ab638b7 in zzip_mem_disk_open \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:89:5\r\n    #4 0x50982d in main \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/bins\/unzzipcat-mem.c:82:12\r\n    #5 0x7ff289ca361f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #6 0x419748 in _init (\/usr\/bin\/unzzipcat-mem+0x419748)\r\n\r\n0x60400000dff3 is located 0 bytes to the right of 35-byte region [0x60400000dfd0,0x60400000dff3)\r\nallocated by thread T0 here:\r\n    #0 0x4d2508 in malloc \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:64\r\n    #1 0x7ff28ab64187 in zzip_mem_entry_new \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:200:25\r\n    #2 0x7ff28ab64187 in zzip_mem_disk_load \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:137\r\n    #3 0x7ff28ab638b7 in zzip_mem_disk_open \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:89:5\r\n    #4 0x7ff289ca361f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/fetch.c:59:10 in __zzip_get64\r\nShadow bytes around the buggy address:\r\n  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=&gt;0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[03]fa\r\n  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==7924==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n0.13.62<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-5975<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00151-zziplib-heapoverflow-__zzip_get64\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00151-zziplib-heapoverflow-__zzip_get64<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-01-17: bug discovered and poked upstream<br \/>\n2017-02-09: blog post about the issue<br \/>\n2017-02-13: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><br \/>\nhttps:\/\/blogs.gentoo.org\/ago\/2017\/02\/09\/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file. A fuzz on it discovered an heap overflow. The complete ASan output: # unzzipcat-mem $FILE READ of &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/09\/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-jT","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1233"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1233"}],"version-history":[{"count":5,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1233\/revisions"}],"predecessor-version":[{"id":1336,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1233\/revisions\/1336"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}