FS#53133 - [zziplib] Multiple CVEs

Attached to Project: Arch Linux
Opened by Santiago Torres (sangy) - Wednesday, 01 March 2017, 20:37 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Thursday, 18 January 2018, 20:36 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Sven-Hendrik Haase (Svenstaro)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Summary
=======

The package zziplib is vulnerable to multiple issues including arbitrary code execution, arbitrary command execution and denial of service via CVE-2017-5981, CVE-2017-5980, CVE-2017-5979, CVE-2017-5978, CVE-2017-5977, CVE-2017-5976, CVE-2017-5975 and CVE-2017-5974.

Guidance
========

I don't think there'll be an upstream patch for this. Maybe we can find and backport patches from other distros?


References
==========

https://security.archlinux.org/AVG-191
https://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-load-of-misaligned-address-in-memdisk-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-main-unzzipcat-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-main-unzzipcat-mem-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c/
https://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c/
This task depends upon

Closed by  Sven-Hendrik Haase (Svenstaro)
Thursday, 18 January 2018, 20:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  Most things are fixed. There will be a followup.
Comment by Sean Rand (srand) - Tuesday, 25 April 2017, 19:04 GMT
FYI, upstream seems to have picked up development again at https://github.com/gdraheim/zziplib
Comment by Santiago Torres (sangy) - Tuesday, 25 April 2017, 19:48 GMT
Oh, thanks for the headsd up. I'll follow development on there and update the ticket accordingly
Comment by Sean Rand (srand) - Friday, 05 May 2017, 22:22 GMT
zziplib 0.13.66-1 is now in extra. The changelog does mention CVEs[1], and the commit
history mentions CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5978
and CVE-2017-5981[2] - which covers all CVEs with arbitrary code execution.
But I don't know if they're completely fixed by those commits,
that would still need some investigating of the code changes.

[1] https://github.com/gdraheim/zziplib/blob/master/ChangeLog#L14
[2] https://github.com/gdraheim/zziplib/search?q=cve&type=Commits&utf8=%E2%9C%93
Comment by Santiago Torres (sangy) - Friday, 05 May 2017, 22:32 GMT
Just reviewed the (somewhat hard to parse) diffs, the following CVE's seem to have been fixed:

CVE-2017-5981
CVE-2017-5974
CVE-2017-5976
CVE-2017-5978
CVE-2017-5975

I can't be completely sure yet, so I'll run the code through the reproducers and let you know.
Comment by Sean Rand (srand) - Friday, 05 May 2017, 22:41 GMT
There seems to have been some (simultaneous) activity in SUSE regarding this as well,
https://www.suse.com/support/update/announcement/2017/suse-su-20171095-1/
Comment by Santiago Torres (sangy) - Friday, 05 May 2017, 22:55 GMT
Ok, here are the results:

CVE-2017-5981 - Fixed
CVE-2017-5974 - Can't reproduce (It appears this only affected the 32-bit lib)
CVE-2017-5976 - Fixed
CVE-2017-5978 - Fixed
CVE-2017-5975 - Fixed

I'll go on and mark those as resolved. As of now we still have:

CVE-2017-5980
CVE-2017-5979
CVE-2017-5977

Comment by Santiago Torres (sangy) - Thursday, 11 May 2017, 22:18 GMT
I reviewed the patches from opensuse and compared against upstream, this is what I found:
I separated these by upstream commit values, the patches were directly obtained from[1]
03de3beabbf570474a9ac05d6dc6b42cdb184cd1 CVE-2017-5974
64e745f8a3604ba1c444febed86b5e142ce03dd7 and 33d6e9c52fcf1a8983896a512033994dc2ca5734 CVE-2017-5975
03de3beabbf570474a9ac05d6dc6b42cdb184cd1 CVE-2017-5976
PATCH NOT FOUND CVE-2017-5977 (this is apparently not fixed, as there is not a patch from opensuse or any mention of it on the changelog)
03de3beabbf570474a9ac05d6dc6b42cdb184cd1 CVE-2017-5978
PATCH NOT IN UPSTREAM CVE-2017-5979 (this is just replacing a malloc to a calloc call...)
PATCH NOT FOUND CVE-2017-5980 (this is apparently not fixed, as there is not a patch from opensuse or any mention of it on the changelog)
3810583f4dee1bac8f02ab41e01bbffd9d6bc286 and 0ce576bdcb330c40cc39636c6232ced0e1bc806b CVE-2017-5981

http://download.opensuse.org/tumbleweed/repo/src-oss/suse/src/zziplib-0.13.62-9.1.src.rpm
Comment by Levente Polyak (anthraxx) - Friday, 12 May 2017, 20:04 GMT
all fixed, except:

CVE-2017-5980
CVE-2017-5978
CVE-2017-5977
Comment by Eli Schwartz (eschwartz) - Sunday, 07 January 2018, 06:54 GMT
0.13.67 seems to upstream the patch that was being applied, are any other CVEs still outstanding 7 months later?
Comment by kikadf (kikadf) - Thursday, 18 January 2018, 03:02 GMT
I found relevant upstream commits:

CVE-2017-5974:
https://github.com/gdraheim/zziplib/commit/9e8f867a976311a3e5fb0184c947e22ec35f2fcb
https://github.com/gdraheim/zziplib/commit/03de3beabbf570474a9ac05d6dc6b42cdb184cd1

CVE-2017-5975:
https://github.com/gdraheim/zziplib/commit/64e745f8a3604ba1c444febed86b5e142ce03dd7
https://github.com/gdraheim/zziplib/commit/33d6e9c52fcf1a8983896a512033994dc2ca5734

CVE-2017-5976:
https://github.com/gdraheim/zziplib/commit/9e8f867a976311a3e5fb0184c947e22ec35f2fcb
https://github.com/gdraheim/zziplib/commit/03de3beabbf570474a9ac05d6dc6b42cdb184cd1

CVE-2017-5977:
https://github.com/gdraheim/zziplib/commit/9e8f867a976311a3e5fb0184c947e22ec35f2fcb
https://github.com/gdraheim/zziplib/commit/1e5b1ac48186e34e871945769623becfa3650956
The closed github issue:
https://github.com/gdraheim/zziplib/issues/3

CVE-2017-5978:
https://github.com/gdraheim/zziplib/commit/98403bb3c0661e56a2185777fd244ba3a67bc220

CVE-2017-5979:
https://github.com/gdraheim/zziplib/commit/90338371e062eb26d5a5a7bb9c299206d0fef278

CVE-2017-5980:
Open github issue, because not all occurrence are fixed:
https://github.com/gdraheim/zziplib/issues/4

but in debian bug tracker Moritz Muehlenhoff has confirmed with the reproducers that it's fixed:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854727#56

and debian mark the CVE as fixed: https://security-tracker.debian.org/tracker/CVE-2017-5980

CVE-2017-5981:
https://github.com/gdraheim/zziplib/commit/0ce576bdcb330c40cc39636c6232ced0e1bc806b



Comment by Sven-Hendrik Haase (Svenstaro) - Thursday, 18 January 2018, 04:01 GMT
So are we good or does our version still lack something?
Comment by kikadf (kikadf) - Thursday, 18 January 2018, 05:46 GMT
Release 0.13.67 contains these commits.
Comment by Sven-Hendrik Haase (Svenstaro) - Thursday, 18 January 2018, 06:17 GMT
Just to be clear then: We don't have to worry about anything regarding this and I can close this?
Comment by kikadf (kikadf) - Thursday, 18 January 2018, 08:10 GMT
Well, I think zziplib not affected by this vulnerabilities already, so you can close the ticket.
Comment by Levente Polyak (anthraxx) - Thursday, 18 January 2018, 10:15 GMT
Of cause they were affected, moste are just fixed now.

CVE-2017-5980 is still unfixed, denial of service through nullptr dereference. I can create a separate issue if you wish, we gonna issue an advisory for the current version anyway?!
cheers :)
Comment by Sven-Hendrik Haase (Svenstaro) - Thursday, 18 January 2018, 20:35 GMT
Yes, please create a separate issue so we can track it more effectively without so much crosstalk between CVEs.

Loading...