GNU bug report logs -
#30415
Unzip CVE-2018-1000031 and others
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 10 Feb 2018 18:58:01 UTC
Severity: normal
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30415 in the body.
You can then email your comments to 30415 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#30415; Package
guix.
(Sat, 10 Feb 2018 18:58:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 10 Feb 2018 18:58:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
CVE-2018-1000034, CVE-2018-1000035 in UnZip:
http://seclists.org/oss-sec/2018/q1/134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30415; Package
guix.
(Sun, 11 Feb 2018 15:10:03 GMT)
Full text and
rfc822 format available.
Message #8 received at 30415 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
The 3rd-party security advisory suggests that the bugs are fixed in
UnZip 6.1c23:
https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
See unzip610c23.zip here:
http://antinode.info/ftp/info-zip/
Unfortunately, this is a zip file, unlike the 9 year old tarball on the
UnZip SourceForge page.
Any advice? I suppose we could keep the old UnZip package just to unpack
the new one.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30415; Package
guix.
(Sun, 11 Feb 2018 15:36:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 30415 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sat, Feb 10, 2018 at 01:57:28PM -0500, Leo Famulari wrote:
> We need to fix CVE-2018-1000031, CVE-2018-1000032, CVE-2018-1000033,
> CVE-2018-1000034, CVE-2018-1000035 in UnZip:
>
> http://seclists.org/oss-sec/2018/q1/134
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000031 and etc
Okay, the advisory says that only CVE-2018-1000035 affects our UnZip 6.0
package; the other bugs were apparently introduced after that.
And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate
more.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30415; Package
guix.
(Mon, 12 Feb 2018 18:59:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 30415 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Feb 11, 2018 at 10:35:48AM -0500, Leo Famulari wrote:
> And CVE-2018-1000035 may be mitigated by the compiler. I'll investigate
> more.
The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
to reduce the impact of the bug. The attached patch does that.
AFAICT, the proof-of-concept zip file is not published, and there is no
upstream patch.
[0001-gnu-unzip-Mitigate-CVE-2018-1000035.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Tue, 13 Feb 2018 14:52:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Tue, 13 Feb 2018 14:52:01 GMT)
Full text and
rfc822 format available.
Message #19 received at 30415-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Feb 13, 2018 at 09:01:44AM +0100, Ricardo Wurmus wrote:
>
> Hi Leo,
>
> > The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> > to reduce the impact of the bug. The attached patch does that.
> […]
> > + ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow.
> > + ;; This environment variable is recommended in 'unix/Makefile'
> > + ;; for passing flags to the C compiler.
> > + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1")
> > + #t))))))))
>
> This looks good to me. Thank you!
Thanks, pushed as 77737e035491112a1e9c7d9a0e6f1e0397a4f930
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#30415; Package
guix.
(Wed, 14 Feb 2018 11:49:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 30415 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
> The researcher's advisory recommends building UnZip with FORTIFY_SOURCE
> to reduce the impact of the bug. The attached patch does that.
[…]
> + ;; Mitigate CVE-2018-1000035, an exploitable buffer overflow.
> + ;; This environment variable is recommended in 'unix/Makefile'
> + ;; for passing flags to the C compiler.
> + (setenv "LOCAL_UNZIP" "-D_FORTIFY_SOURCE=1")
> + #t))))))))
This looks good to me. Thank you!
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 15 Mar 2018 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 184 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.