[oss-security] 20161205 CVE Request: Info-Zip zipinfo buffer overflow

[oss-security] 20161205 Re: CVE Request: Info-Zip zipinfo buffer overflow

94728

https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1643750

The version of unzip installed on the remote host is prior to 6.0-43. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1604 advisory.

  - Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2     data in a ZIP archive. (CVE-2015-7697)

  - Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to     cause a denial of service (crash) via a large compression method value in the central directory file     header. (CVE-2016-9844)

  - A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-     protected archives that allows an attacker to perform a denial of service or to possibly achieve code     execution. (CVE-2018-1000035)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4672-1 advisory.

  - Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to     cause a denial of service (crash) via vectors related to the compression method. (CVE-2014-9913)

  - Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to     cause a denial of service (crash) via a large compression method value in the central directory file     header. (CVE-2016-9844)

  - Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between     the compressed-size value and the uncompressed-size value, because a buffer size is 10 and is supposed to     be 12. (CVE-2018-18384)

  - A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-     protected archives that allows an attacker to perform a denial of service or to possibly achieve code     execution. (CVE-2018-1000035)

  - Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of     service (resource consumption), aka a better zip bomb issue. (CVE-2019-13232)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the unzip package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Info-ZIP UnZip 6.0 allows remote attackers to cause a     denial of service (heap-based buffer over-read and     application crash) or possibly execute arbitrary code     via a crafted password-protected ZIP archive, possibly     related to an Extra-Field size value.(CVE-2015-7696)

  - Info-ZIP UnZip 6.0 allows remote attackers to cause a     denial of service (infinite loop) via empty bzip2 data     in a ZIP archive.(CVE-2015-7697)

  - A heap-based buffer overflow exists in Info-Zip UnZip     version <= 6.00 in the processing of password-protected     archives that allows an attacker to perform a denial of     service or to possibly achieve code     execution.(CVE-2018-1000035)

  - Buffer overflow in the list_files function in list.c in     Info-Zip UnZip 6.0 allows remote attackers to cause a     denial of service (crash) via vectors related to the     compression method.(CVE-2014-9913)

  - Buffer overflow in the zi_short function in zipinfo.c     in Info-Zip UnZip 6.0 allows remote attackers to cause     a denial of service (crash) via a large compression     method value in the central directory file     header.(CVE-2016-9844)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New infozip packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

An update of the unzip package has been released.

This update for unzip fixes the following security issues :

  - CVE-2014-9913: Specially crafted zip files could trigger     invalid memory writes possibly resulting in DoS or     corruption (bsc#1013993)

  - CVE-2015-7696: Specially crafted zip files with password     protection could trigger a crash and lead to denial of     service (bsc#950110)

  - CVE-2015-7697: Specially crafted zip files could trigger     an endless loop and lead to denial of service     (bsc#950111)

  - CVE-2016-9844: Specially crafted zip files could trigger     invalid memory writes possibly resulting in DoS or     corruption (bsc#1013992)

  - CVE-2018-1000035: Prevent heap-based buffer overflow in     the processing of password-protected archives that     allowed an attacker to perform a denial of service or to     possibly achieve code execution (bsc#1080074).

  - CVE-2014-9636: Prevent denial of service (out-of-bounds     read or write and crash) via an extra field with an     uncompressed size smaller than the compressed field size     in a zip archive that advertises STORED method     compression (bsc#914442).

This non-security issue was fixed :

  - Allow processing of Windows zip64 archives (Windows     archivers set total_disks field to 0 but per standard,     valid values are 1 and higher) (bnc#910683)

This update was imported from the SUSE:SLE-12:Update update project.

This update for unzip fixes the following security issues :

CVE-2014-9913: Specially crafted zip files could trigger invalid memory writes possibly resulting in DoS or corruption (bsc#1013993)

CVE-2015-7696: Specially crafted zip files with password protection could trigger a crash and lead to denial of service (bsc#950110)

CVE-2015-7697: Specially crafted zip files could trigger an endless loop and lead to denial of service (bsc#950111)

CVE-2016-9844: Specially crafted zip files could trigger invalid memory writes possibly resulting in DoS or corruption (bsc#1013992)

CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of password-protected archives that allowed an attacker to perform a denial of service or to possibly achieve code execution (bsc#1080074).

CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression (bsc#914442).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of [openjdk,openjre,bash,libtar,glibc,libgcrypt,strongswan,unzip] packages for PhotonOS has been released.

An update of {'unzip', 'libtar'} packages of Photon OS has been released.

According to the versions of the unzip package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Buffer overflow in the list_files function in list.c in     Info-Zip UnZip 6.0 allows remote attackers to cause a     denial of service (crash) via vectors related to the     compression method.(CVE-2014-9913)

  - Buffer overflow in the zi_short function in zipinfo.c     in Info-Zip UnZip 6.0 allows remote attackers to cause     a denial of service (crash) via a large compression     method value in the central directory file     header.(CVE-2016-9844)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for unzip fixes the following issues :

  - CVE-2014-9913: Specially crafted zip files could trigger     invalid memory writes possibly resulting in DoS or     corruption (bsc#1013993)

  - CVE-2015-7696: Specially crafted zip files with password     protection could trigger a crash and lead to denial of     service (bsc#950110)

  - CVE-2015-7697: Specially crafted zip files could trigger     an endless loop and lead to denial of service     (bsc#950111)

  - CVE-2016-9844: Specially crafted zip files could trigger     invalid memory writes possibly resulting in DoS or     corruption (bsc#1013992)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2016-9844

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

'unzip -l' (CVE-2014-9913) and 'zipinfo' (CVE-2016-9844) were vulnerable to buffer overflows when provided malformed or maliciously-crafted ZIP files.

For Debian 7 'Wheezy', these problems have been fixed in version 6.0-8+deb7u6.

We recommend that you upgrade your unzip packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
146632	Amazon Linux 2 : unzip (ALAS-2021-1604)	Nessus	Amazon Linux Local Security Checks	high
144337	Ubuntu 16.04 LTS / 18.04 LTS : unzip vulnerabilities (USN-4672-1)	Nessus	Ubuntu Local Security Checks	high
131583	EulerOS 2.0 SP2 : unzip (EulerOS-SA-2019-2429)	Nessus	Huawei Local Security Checks	high
122576	Slackware 14.0 / 14.1 / 14.2 / current : infozip (SSA:2019-060-01)	Nessus	Slackware Local Security Checks	high
121930	Photon OS 2.0: Unzip PHSA-2018-2.0-0029	Nessus	PhotonOS Local Security Checks	medium
117981	openSUSE Security Update : unzip (openSUSE-2018-1124)	Nessus	SuSE Local Security Checks	high
117902	SUSE SLED12 / SLES12 Security Update : unzip (SUSE-SU-2018:2978-1)	Nessus	SuSE Local Security Checks	high
111889	Photon OS 1.0: Bash / Glibc / Libgcrypt / Libtar / Openjdk / Openjre / Strongswan / Unzip PHSA-2017-0040 (deprecated)	Nessus	PhotonOS Local Security Checks	critical
111293	Photon OS 2.0 : unzip / libtar (PhotonOS-PHSA-2018-2.0-0029) (deprecated)	Nessus	PhotonOS Local Security Checks	high
110746	EulerOS 2.0 SP3 : unzip (EulerOS-SA-2018-1170)	Nessus	Huawei Local Security Checks	medium
97654	SUSE SLES11 Security Update : unzip (SUSE-SU-2017:0639-1)	Nessus	SuSE Local Security Checks	medium
96022	Fedora 24 : unzip (2016-80a2fba8aa)	Nessus	Fedora Local Security Checks	medium
96020	Fedora 25 : unzip (2016-3b4de2babd)	Nessus	Fedora Local Security Checks	medium
95774	Debian DLA-741-1 : unzip security update	Nessus	Debian Local Security Checks	medium

CVE-2016-9844

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

medium

high

high

critical

high

medium

medium

medium

medium

medium