Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 12 Feb 2018 17:31:47 -0500
From: Leo Famulari <leo@...ulari.name>
To: SEC Consult Vulnerability Lab <research@...-consult.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: SEC Consult SA-20180207-0 :: Multiple buffer
 overflow vulnerabilities in InfoZip UnZip

On Thu, Feb 08, 2018 at 08:19:20AM +0100, SEC Consult Vulnerability Lab wrote:
> 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035)

[...]

> As already mentioned, modern compilers replace unsafe functions with
> safe alternatives as a defense in depth mechanism.
> This feature is called BOSC (Built-in object size checking) and is part
> of the FORTIFY_SOURCE=2 protection.
> The following link shows the source code (and vulnerability) inside
> the Ubuntu package:
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/unzip/trusty-updates/view/head:/fileio.c#L1593

If you are not sure how to pass flags to the compiler when building UnZip 6.0
(the Makefile does not respect CFLAGS), you should export them as LOCAL_UNZIP in
the build environment. Quoting 'unix/Makefile':

# LOCAL_UNZIP is an environment variable that can be used to add default C flags
# to your compile without editing the Makefile (e.g., -DDEBUG_STRUC, or -FPi87
# on PCs using Microsoft C).

It took me a little too long to figure that out...

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ