libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.
CVE-2012-1162
libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files.
On opening a zip file with zip_open, libzip reads in the number of
directory entries in the function _zip_readcdir in zip_open.c:
(192) /* number of cdir-entries */
(193) nentry = _zip_read2(&cdp);
Subsequently, memory for directory entries is allocated via
_zip_cdir_new (in zip_dirent.c) based on the number of directory
entries:
(104) if ((cd->entry=(struct zip_dirent )malloc(sizeof((cd->entry))*nentry))
If the number of directories in the zip file is set to 0, 0 bytes of
memory are allocated.
_zip_readcdir finishes with reading in the directory entries in
a posttest do-while loop:
(260) do {
(261) if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
…
(277) } while (i<cd->nentry && left > 0);
If cd->entry points to 0 bytes of allocated memory, _zip_dirent
writes beyond the allocated memory.
CVE-2012-1163
libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks).
On opening a zip file with zip_open, libzip reads in the size and the
offset of the central directory structure in the function _zip_readcdir
in zip_open.c:
(198) cd->size = _zip_read4(&cdp);
(199) cd->offset = _zip_read4(&cdp);
libzip performs a consistency check on these values, but does not
anticipate an integer overflow:
(203) if (cd->offset+cd->size > buf_offset + (eocd-buf)) {
On an integer overflow, libzip continues to handle the zip file, which,
for example, can result in improper restriction of operations within the
bounds of a memory buffer.
The issue was fixed in the following versions:
libzip 0.10.1
The issue was not fixed in PHP and zipruby yet.
When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:
http://www.pre-cert.de/advisories/PRE-SA-2012-02.txt
PRE-CERT can be reached under [email protected]. For PGP key
information, refer to http://www.pre-cert.de/.