Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 12 Feb 2018 17:31:47 -0500
From: Leo Famulari <leo@...ulari.name>
To: SEC Consult Vulnerability Lab <research@...-consult.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: SEC Consult SA-20180207-0 :: Multiple buffer
 overflow vulnerabilities in InfoZip UnZip

On Thu, Feb 08, 2018 at 08:19:20AM +0100, SEC Consult Vulnerability Lab wrote:
> 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035)

[...]

> As already mentioned, modern compilers replace unsafe functions with
> safe alternatives as a defense in depth mechanism.
> This feature is called BOSC (Built-in object size checking) and is part
> of the FORTIFY_SOURCE=2 protection.
> The following link shows the source code (and vulnerability) inside
> the Ubuntu package:
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/unzip/trusty-updates/view/head:/fileio.c#L1593

If you are not sure how to pass flags to the compiler when building UnZip 6.0
(the Makefile does not respect CFLAGS), you should export them as LOCAL_UNZIP in
the build environment. Quoting 'unix/Makefile':

# LOCAL_UNZIP is an environment variable that can be used to add default C flags
# to your compile without editing the Makefile (e.g., -DDEBUG_STRUC, or -FPi87
# on PCs using Microsoft C).

It took me a little too long to figure that out...

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.