lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20051219171545.GA25484@melpomene.jschipper.dynalias.net>
Date: Mon Dec 19 17:15:59 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: Unzip *ALL* verisons ;))

On Mon, Dec 19, 2005 at 04:44:02PM +0000, c0ntex wrote:
> On 19/12/05, Joachim Schipper <j.schipper@...h.uu.nl> wrote
> 
> > I cannot reproduce this, either with "A" x 5000 or "A" x 20000. I tested
> > unzip-5.52 on Linux/i386-2.6 and OpenBSD/i386-3.8, and saw no error.
> >
> >                 Joachim
> 
> 
> 
> [c0ntex@ ~]$ unzip -v | head -1
> UnZip 5.32 of 3 November 1997, by Info-ZIP.  Maintained by Greg Roelofs.  Send
> [c0ntex@ ~]$
> [c0ntex@ ~]$ uname -a
> SunOS  5.8 Generic_117350-24 sun4u sparc SUNW,UltraAX-i2
> [c0ntex@ ~]$ unzip `perl -e 'print "A" x 50000'`
> Bus Error (core dumped)
> [c0ntex@ ~]$
> 
> 
> c0ntex@...auch:~$ unzip -v | head -1
> UnZip 5.52 of 28 February 2005, by Info-ZIP.  Maintained by C. Spieler.  Send
> c0ntex@...auch:~$ uname -a
> Linux debauch 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
> c0ntex@...auch:~$ unzip `perl -e 'print "A" x 32000'`
> <snip>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.ZIP.
> error:  zipfile probably corrupt (segmentation violation)
> c0ntex@...auch:~$
> 
> 
> [c0ntex@...uxbox tmp]$ unzip -v | head -1
> UnZip 5.51 of 22 May 2004, by Info-ZIP.  Maintained by C. Spieler.  Send
> [c0ntex@...uxbox tmp]$ uname -a
> Linux linuxbox 2.6.12 #2 Wed Jul 13 10:19:26 BST 2005 i686 i686 i386 GNU/Linux
> [c0ntex@...uxbox tmp]$ unzip `perl -e 'print "A" x 50000'`
> Segmentation fault
> [c0ntex@...uxbox tmp]$

Oops, sorry, should have taken a better look.

Segfault observed with UnZip-5.52 in gdb with "A" x 50000 on Linux-2.6
and OpenBSD-3.8, both on i386. Without gdb, Linux segfaults too but
OpenBSD just hangs (might be my choice of numbers or payload, but it's
pretty consistent that "A" x 32000 does nothing and "A" x 33000 hangs).

I did not investigate further, sorry for the bother!

		Joachim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ