Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Mar 2012 08:37:00 +0100
From: Timo Warns <Warns@...-Sense.DE>
Subject:  CVE-2012-1162 / -1163: Incorrect loop construct and numeric
 overflow in libzip

The following two issues in libzip have been handled via Distros and the libzip developers were informed on
2012-03-12. An update of libzip has become available on 2012-03-20, the
appointed coordinated release date. The PHP and zipruby developers have been
informed before 2012-03-16, but have not released updates yet.

libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.

* CVE-2012-1162

    libzip (version <= 0.10) uses an incorrect loop construct, which can
    result in a heap overflow on corrupted zip files.
    On opening a zip file with zip_open, libzip reads in the number of
    directory entries in the function _zip_readcdir in zip_open.c:

    (192)    /* number of cdir-entries */
    (193)    nentry = _zip_read2(&cdp);

    Subsequently, memory for directory entries is allocated via
    _zip_cdir_new (in zip_dirent.c) based on the number of directory

    (104)    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))

    If the number of directories in the zip file is set to 0, 0 bytes of
    memory are allocated.

    _zip_readcdir finishes with reading in the directory entries in
    a posttest do-while loop:

    (260)    do {
    (261)        if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
    (277)    } while (i<cd->nentry && left > 0);

    If cd->entry points to 0 bytes of allocated memory, _zip_dirent
    writes beyond the allocated memory.

* CVE-2012-1163

    libzip (version <= 0.10) has a numeric overflow condition, which,
    for example, results in improper restrictions of operations within
    the bounds of a memory buffer (e.g., allowing information leaks).

    On opening a zip file with zip_open, libzip reads in the size and the
    offset of the central directory structure in the function _zip_readcdir
    in zip_open.c:

    (198)    cd->size = _zip_read4(&cdp);
    (199)    cd->offset = _zip_read4(&cdp);

    libzip performs a consistency check on these values, but does not
    anticipate an integer overflow:

    (203)    if (cd->offset+cd->size > buf_offset + (eocd-buf)) {

    On an integer overflow, libzip continues to handle the zip file, which,
    for example, can result in improper restriction of operations within the
    bounds of a memory buffer.

Cheers, Timo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.