[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20120327073438.GB9400@vermeer.pre-sense.de>
Date: Tue, 27 Mar 2012 09:34:38 +0200
From: Timo Warns <Warns@...-Sense.DE>
To: full-disclosure@...ts.grok.org.uk
Subject: [PRE-SA-2012-02] Incorrect loop construct and
numeric overflow in libzip
PRE-CERT Security Advisory
==========================
* Advisory: PRE-SA-2012-02
* Released on: 21st March 2012
* Affected products: libzip <= 0.10
PHP 5.4.0
PHP <= 5.3.10
zipruby <= 0.3.6
* Impact: heap overflow, information leak
* Credit: - Thomas Klausner
- Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: - CVE-2012-1162
- CVE-2012-1163
Summary
-------
libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.
* CVE-2012-1162
libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files.
On opening a zip file with zip_open, libzip reads in the number of
directory entries in the function _zip_readcdir in zip_open.c:
(192) /* number of cdir-entries */
(193) nentry = _zip_read2(&cdp);
Subsequently, memory for directory entries is allocated via
_zip_cdir_new (in zip_dirent.c) based on the number of directory
entries:
(104) if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
If the number of directories in the zip file is set to 0, 0 bytes of
memory are allocated.
_zip_readcdir finishes with reading in the directory entries in
a posttest do-while loop:
(260) do {
(261) if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
...
(277) } while (i<cd->nentry && left > 0);
If cd->entry points to 0 bytes of allocated memory, _zip_dirent
writes beyond the allocated memory.
* CVE-2012-1163
libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks).
On opening a zip file with zip_open, libzip reads in the size and the
offset of the central directory structure in the function _zip_readcdir
in zip_open.c:
(198) cd->size = _zip_read4(&cdp);
(199) cd->offset = _zip_read4(&cdp);
libzip performs a consistency check on these values, but does not
anticipate an integer overflow:
(203) if (cd->offset+cd->size > buf_offset + (eocd-buf)) {
On an integer overflow, libzip continues to handle the zip file, which,
for example, can result in improper restriction of operations within the
bounds of a memory buffer.
Solution
--------
The issue was fixed in the following versions:
libzip 0.10.1
The issue was not fixed in PHP and zipruby yet.
References
----------
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
http://www.pre-cert.de/advisories/PRE-SA-2012-02.txt
Contact
--------
PRE-CERT can be reached under precert@...-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists