Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 03 Nov 2014 14:37:04 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: unzip -t crasher

On 11/03/2014 05:06 AM, Jakub Wilk wrote:
> Latest American fuzzy lop[0] tarball[1] contains a zip file that crashes
> unzip -t:
>
> $ unzip -qt afl-0.43b/docs/samples/unzip_t_malloc.zip
> foo/:  mismatching "local" filename (™/UT),
>          continuing with "central" filename version
> *** Error in `unzip': free(): corrupted unsorted chunks:
> 0x00000000015d0170 ***
>
> I'm not sure if inclusion of said zip file was intentional, but since
> the cat is already out of the bag, I thought I'll let you know.
>
> [0] https://code.google.com/p/american-fuzzy-lop/
> [1] http://lcamtuf.coredump.cx/afl.tgz
>

Hi,

I had a quick look at unzip-6.0-12.fc20. It did not crash there for me 
but there are invalid reads and an invalid write.

For the invalid write, the problem may manifest here in memextract():

2282             memcpy((char *)tgt, (char *)G.inptr, (extent)G.incnt);

On my system, G.incnt was 52729.

Cheers,

--
Murray McAllister / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ