exploit the possibilities

libzip 0.10 Heap Overflow / Information Leak

libzip 0.10 Heap Overflow / Information Leak
Posted Mar 28, 2012
Authored by Timo Warns, Thomas Klausner | Site pre-cert.de

libzip versions 0.10 and below suffers from heap overflow and information leak vulnerabilities.

tags | advisory, overflow, vulnerability
advisories | CVE-2012-1162, CVE-2012-1163
MD5 | 57c548e1fcc2b9b7bad921642b8dc800

libzip 0.10 Heap Overflow / Information Leak

Change Mirror Download
PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-02
* Released on: 21st March 2012
* Affected products: libzip <= 0.10
PHP 5.4.0
PHP <= 5.3.10
zipruby <= 0.3.6
* Impact: heap overflow, information leak
* Credit: - Thomas Klausner
- Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: - CVE-2012-1162
- CVE-2012-1163


Summary
-------

libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.

* CVE-2012-1162

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files.

On opening a zip file with zip_open, libzip reads in the number of
directory entries in the function _zip_readcdir in zip_open.c:

(192) /* number of cdir-entries */
(193) nentry = _zip_read2(&cdp);

Subsequently, memory for directory entries is allocated via
_zip_cdir_new (in zip_dirent.c) based on the number of directory
entries:

(104) if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))

If the number of directories in the zip file is set to 0, 0 bytes of
memory are allocated.

_zip_readcdir finishes with reading in the directory entries in
a posttest do-while loop:

(260) do {
(261) if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
...
(277) } while (i<cd->nentry && left > 0);

If cd->entry points to 0 bytes of allocated memory, _zip_dirent
writes beyond the allocated memory.

* CVE-2012-1163

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks).

On opening a zip file with zip_open, libzip reads in the size and the
offset of the central directory structure in the function _zip_readcdir
in zip_open.c:

(198) cd->size = _zip_read4(&cdp);
(199) cd->offset = _zip_read4(&cdp);

libzip performs a consistency check on these values, but does not
anticipate an integer overflow:

(203) if (cd->offset+cd->size > buf_offset + (eocd-buf)) {

On an integer overflow, libzip continues to handle the zip file, which,
for example, can result in improper restriction of operations within the
bounds of a memory buffer.


Solution
--------

The issue was fixed in the following versions:

libzip 0.10.1

The issue was not fixed in PHP and zipruby yet.


References
----------

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-02.txt


Contact
--------

PRE-CERT can be reached under precert@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close