Date: Mon, 12 Feb 2018 17:31:47 -0500 From: Leo Famulari <leo@...ulari.name> To: SEC Consult Vulnerability Lab <research@...-consult.com> Cc: oss-security@...ts.openwall.com Subject: Re: SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip On Thu, Feb 08, 2018 at 08:19:20AM +0100, SEC Consult Vulnerability Lab wrote: > 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035) [...] > As already mentioned, modern compilers replace unsafe functions with > safe alternatives as a defense in depth mechanism. > This feature is called BOSC (Built-in object size checking) and is part > of the FORTIFY_SOURCE=2 protection. > The following link shows the source code (and vulnerability) inside > the Ubuntu package: > http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/unzip/trusty-updates/view/head:/fileio.c#L1593 If you are not sure how to pass flags to the compiler when building UnZip 6.0 (the Makefile does not respect CFLAGS), you should export them as LOCAL_UNZIP in the build environment. Quoting 'unix/Makefile': # LOCAL_UNZIP is an environment variable that can be used to add default C flags # to your compile without editing the Makefile (e.g., -DDEBUG_STRUC, or -FPi87 # on PCs using Microsoft C). It took me a little too long to figure that out... Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ