{"id":1234,"date":"2017-02-09T15:38:44","date_gmt":"2017-02-09T13:38:44","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1234"},"modified":"2017-02-14T11:24:10","modified_gmt":"2017-02-14T09:24:10","slug":"zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/09\/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c\/","title":{"rendered":"zziplib: heap-based buffer overflow in zzip_mem_entry_extra_block (memdisk.c)"},"content":{"rendered":"

Description<\/strong>:
\nzziplib<\/a> is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.<\/p>\n

A fuzz on it discovered an heap overflow.<\/p>\n

The complete ASan output:<\/p>\n

# unzzipcat-mem $FILE\r\n==7970==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000f2c8 at pc 0x7f59277fd153 bp 0x7fff136e1e30 sp 0x7fff136e1e28                                                                                                                                       \r\nREAD of size 2 at 0x60300000f2c8 thread T0                                                                                                                                                                                                                                     \r\n    #0 0x7f59277fd152 in zzip_mem_entry_extra_block \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:248:20                                                                                                                                        \r\n    #1 0x7f59277fd152 in zzip_mem_entry_new \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:218                                                                                                                                                   \r\n    #2 0x7f59277fd152 in zzip_mem_disk_load \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:137                                                                                                                                                   \r\n    #3 0x7f59277fb8b7 in zzip_mem_disk_open \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:89:5                                                                                                                                                  \r\n    #4 0x50982d in main \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/bins\/unzzipcat-mem.c:82:12                                                                                                                                                               \r\n    #5 0x7f592693b61f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                                                                                                        \r\n    #6 0x419748 in _init (\/usr\/bin\/unzzipcat-mem+0x419748)                                                                                                                                                                                                                     \r\n                                                                                                                                                                                                                                                                               \r\nAddressSanitizer can not describe address in more detail (wild memory access suspected).                                                                                                                                                                                       \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/dev-libs\/zziplib-0.13.62-r1\/work\/zziplib-0.13.62\/zzip\/memdisk.c:248:20 in zzip_mem_entry_extra_block                                                                                                              \r\nShadow bytes around the buggy address:                                                                                                                                                                                                                                         \r\n  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n=>0x0c067fff9e50: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\n  0x0c067fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              \r\nShadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           \r\n  Addressable:           00                                                                                                                                                                                                                                                    \r\n  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                  \r\n  Heap left redzone:       fa                                                                                                                                                                                                                                                  \r\n  Heap right redzone:      fb                                                                                                                                                                                                                                                  \r\n  Freed heap region:       fd                                                                                                                                                                                                                                                  \r\n  Stack left redzone:      f1                                                                                                                                                                                                                                                  \r\n  Stack mid redzone:       f2                                                                                                                                                                                                                                                  \r\n  Stack right redzone:     f3                                                                                                                                                                                                                                                  \r\n  Stack partial redzone:   f4                                                                                                                                                                                                                                                  \r\n  Stack after return:      f5                                                                                                                                                                                                                                                  \r\n  Stack use after scope:   f8                                                                                                                                                                                                                                                  \r\n  Global redzone:          f9                                                                                                                                                                                                                                                  \r\n  Global init order:       f6                                                                                                                                                                                                                                                  \r\n  Poisoned by user:        f7                                                                                                                                                                                                                                                  \r\n  Container overflow:      fc                                                                                                                                                                                                                                                  \r\n  Array cookie:            ac                                                                                                                                                                                                                                                  \r\n  Intra object redzone:    bb                                                                                                                                                                                                                                                  \r\n  ASan internal:           fe                                                                                                                                                                                                                                                  \r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==7970==ABORTING\r\n<\/font><\/pre>\n
Affected version:<\/strong>
\n0.13.62<\/p>\n
Fixed version:<\/strong>
\nN\/A<\/p>\n
Commit fix:<\/strong>
\nN\/A<\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
CVE:<\/strong>
\nCVE-2017-5976<\/p>\n
Reproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00152-zziplib-heapoverflow-zzip_mem_entry_extra_block<\/a><\/p>\n
Timeline:<\/strong>
\n2017-01-17: bug discovered and poked upstream
\n2017-02-09: blog post about the issue
\n2017-02-13: CVE assigned<\/p>\n
Note:<\/strong>
\nThis bug was found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong>
\nhttps:\/\/blogs.gentoo.org\/ago\/2017\/02\/09\/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c<\/p>\n","protected":false},"excerpt":{"rendered":"
Description: zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file. A fuzz on it discovered an heap overflow. The complete ASan output: # unzzipcat-mem $FILE ==7970==ERROR: AddressSanitizer: … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-jU","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1234"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1234"}],"version-history":[{"count":5,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1234\/revisions"}],"predecessor-version":[{"id":1338,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1234\/revisions\/1338"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}