Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27868
HistoryApr 02, 2012 - 12:00 a.m.

[PRE-SA-2012-02] Incorrect loop construct and numeric overflow in libzip

2012-04-0200:00:00
vulners.com
4

PRE-CERT Security Advisory

  • Advisory: PRE-SA-2012-02
  • Released on: 21st March 2012
  • Affected products: libzip <= 0.10
    PHP 5.4.0
    PHP <= 5.3.10
    zipruby <= 0.3.6
  • Impact: heap overflow, information leak
  • Credit: - Thomas Klausner
    - Timo Warns (PRESENSE Technologies GmbH)
  • CVE Identifier: - CVE-2012-1162
    - CVE-2012-1163

Summary

libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.

  • CVE-2012-1162

    libzip (version <= 0.10) uses an incorrect loop construct, which can
    result in a heap overflow on corrupted zip files.

    On opening a zip file with zip_open, libzip reads in the number of
    directory entries in the function _zip_readcdir in zip_open.c:

    (192) /* number of cdir-entries */
    (193) nentry = _zip_read2(&cdp);

    Subsequently, memory for directory entries is allocated via
    _zip_cdir_new (in zip_dirent.c) based on the number of directory
    entries:

    (104) if ((cd->entry=(struct zip_dirent )malloc(sizeof((cd->entry))*nentry))

    If the number of directories in the zip file is set to 0, 0 bytes of
    memory are allocated.

    _zip_readcdir finishes with reading in the directory entries in
    a posttest do-while loop:

    (260) do {
    (261) if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {

    (277) } while (i<cd->nentry && left > 0);

    If cd->entry points to 0 bytes of allocated memory, _zip_dirent
    writes beyond the allocated memory.

  • CVE-2012-1163

    libzip (version <= 0.10) has a numeric overflow condition, which,
    for example, results in improper restrictions of operations within
    the bounds of a memory buffer (e.g., allowing information leaks).

    On opening a zip file with zip_open, libzip reads in the size and the
    offset of the central directory structure in the function _zip_readcdir
    in zip_open.c:

    (198) cd->size = _zip_read4(&cdp);
    (199) cd->offset = _zip_read4(&cdp);

    libzip performs a consistency check on these values, but does not
    anticipate an integer overflow:

    (203) if (cd->offset+cd->size > buf_offset + (eocd-buf)) {

    On an integer overflow, libzip continues to handle the zip file, which,
    for example, can result in improper restriction of operations within the
    bounds of a memory buffer.

Solution

The issue was fixed in the following versions:

libzip 0.10.1

The issue was not fixed in PHP and zipruby yet.

References

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-02.txt

Contact

PRE-CERT can be reached under [email protected]. For PGP key
information, refer to http://www.pre-cert.de/.

Related for SECURITYVULNS:DOC:27868