Date: Tue, 17 Feb 2015 19:29:51 +0100 From: William Robinet <william.robinet@...ostix.com> To: oss-security@...ts.openwall.com Subject: CVE-2015-1315 - Info-ZIP UnZip - Out-of-bounds Write Dear oss-security list, Here is an advisory  about a heap-based buffer overflow vulnerability found in Info-Zip "UnZip" . This was discovered on Ubuntu 14.04.1 LTS (amd64) with package unzip version 6.0-9ubuntu1.2 with the help of afl . This vulnerability could possibly lead to arbitrary code execution. The problem lies in the "unix/unix.c:charset_to_intern()" function which is part of the 06-unzip60-alt-iconv-utf8 patch (Ubuntu reference ). It can be triggered during string conversion from CP866 to UTF-8 for which the destination buffer is not large enough. The problematic code is present in: - Info-ZIP beta/development release version 6.10b - Ubuntu unzip package (see version numbers in advisory ) - FreeBSD archivers/unzip port (depending on the port configuration) Timeline: 20150210 - Ubuntu contacted, CVE assigned, disclosure date defined 20150211 - FreeBSD & Upstream contacted 20150212 - Openwall distros mailing list notified 20150217 - Public disclosure An updated iconv patch (received from Ubuntu) is available at . William (Please note I'm not a member of the list)  http://www.conostix.com/pub/adv/CVE-2015-1315-Info-ZIP-unzip-Out-of-bounds_Write.txt  http://www.info-zip.org/UnZip.html  american fuzzy lop - http://lcamtuf.coredump.cx/afl/  Ubuntu iconv patch: http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-9ubuntu1.2.debian.tar.gz file debian/patches/06-unzip60-alt-iconv-utf8  http://www.conostix.com/pub/adv/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch -- GPG Key ID/Fingerprint: 74C7A949/B509 4137 1353 A3FC 6A87 AA06 003F A3DF 74C7 A949 Conostix S.A. 4, Rue d'Arlon L-8399 Windhof (Koerich) T. +352 26 10 30 61 F. +352 26 10 30 62
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ