oss-sec mailing list archives
CVE-2015-1315 - Info-ZIP UnZip - Out-of-bounds Write
From: William Robinet <william.robinet () conostix com>
Date: Tue, 17 Feb 2015 19:29:51 +0100
Dear oss-security list, Here is an advisory [0] about a heap-based buffer overflow vulnerability found in Info-Zip "UnZip" [1]. This was discovered on Ubuntu 14.04.1 LTS (amd64) with package unzip version 6.0-9ubuntu1.2 with the help of afl [2]. This vulnerability could possibly lead to arbitrary code execution. The problem lies in the "unix/unix.c:charset_to_intern()" function which is part of the 06-unzip60-alt-iconv-utf8 patch (Ubuntu reference [3]). It can be triggered during string conversion from CP866 to UTF-8 for which the destination buffer is not large enough. The problematic code is present in: - Info-ZIP beta/development release version 6.10b - Ubuntu unzip package (see version numbers in advisory [0]) - FreeBSD archivers/unzip port (depending on the port configuration) Timeline: 20150210 - Ubuntu contacted, CVE assigned, disclosure date defined 20150211 - FreeBSD & Upstream contacted 20150212 - Openwall distros mailing list notified 20150217 - Public disclosure An updated iconv patch (received from Ubuntu) is available at [4]. William (Please note I'm not a member of the list) [0] http://www.conostix.com/pub/adv/CVE-2015-1315-Info-ZIP-unzip-Out-of-bounds_Write.txt [1] http://www.info-zip.org/UnZip.html [2] american fuzzy lop - http://lcamtuf.coredump.cx/afl/ [3] Ubuntu iconv patch: http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-9ubuntu1.2.debian.tar.gz file debian/patches/06-unzip60-alt-iconv-utf8 [4] http://www.conostix.com/pub/adv/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch -- GPG Key ID/Fingerprint: 74C7A949/B509 4137 1353 A3FC 6A87 AA06 003F A3DF 74C7 A949 Conostix S.A. 4, Rue d'Arlon L-8399 Windhof (Koerich) T. +352 26 10 30 61 F. +352 26 10 30 62
Current thread:
- CVE-2015-1315 - Info-ZIP UnZip - Out-of-bounds Write William Robinet (Feb 17)