From unknown Sun Aug 10 11:50:50 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#78639 <78639@debbugs.gnu.org> To: bug#78639 <78639@debbugs.gnu.org> Subject: Status: Uninitialised read in check_zipfile() (gzip 1.14) Reply-To: bug#78639 <78639@debbugs.gnu.org> Date: Sun, 10 Aug 2025 18:50:50 +0000 retitle 78639 Uninitialised read in check_zipfile() (gzip 1.14) reassign 78639 gzip submitter 78639 Zephyr official severity 78639 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Thu May 29 23:58:22 2025 Received: (at submit) by debbugs.gnu.org; 30 May 2025 03:58:22 +0000 Received: from localhost ([127.0.0.1]:42762 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uKqsv-0005RU-AI for submit@debbugs.gnu.org; Thu, 29 May 2025 23:58:22 -0400 Received: from lists.gnu.org ([2001:470:142::17]:33254) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uKnZA-0005GM-17 for submit@debbugs.gnu.org; Thu, 29 May 2025 20:25:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uKnYx-0008Hi-Jq for bug-gzip@gnu.org; Thu, 29 May 2025 20:25:33 -0400 Received: from mail-pf1-x42b.google.com ([2607:f8b0:4864:20::42b]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uKnYv-0003dz-Ra for bug-gzip@gnu.org; Thu, 29 May 2025 20:25:31 -0400 Received: by mail-pf1-x42b.google.com with SMTP id d2e1a72fcca58-7425bd5a83aso1216308b3a.0 for ; Thu, 29 May 2025 17:25:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748564726; x=1749169526; darn=gnu.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=+VQM9mAXyLZX0sfH3EMpSe/yMggEGmbyONK0wsnDIv0=; b=I/HqdFZreR8aRNXJySOw0jhsWP70kfhbFpW+9v/EQ+S0In3F1guxTnT8yc3iGe6GI/ dS1JilhdW6vj2vcvkpPnpZtgcjkByKxt0TgDGFFkyU6dQ9favejCVDjX+uWpX1/Pbr9D oIm2qi0lsNtt0uy58nU9eTGOWlIDvypGhD7IOonbFnU1O0lQo89rlrmtVN44Rb9Z444C VQ6trQcE3rqzNReNR7mK705UUQ+nZgi+PdZsKSf7fyuy5rlcj4PUw9G1+H+faML6FTCo XBqTDlfb/GAF3u5yDgYnuMm8k4IRMIPFMYYe8vV7jxEmZhvOEt6iq25E5vXFwZ3IgaKN Yosw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748564726; x=1749169526; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+VQM9mAXyLZX0sfH3EMpSe/yMggEGmbyONK0wsnDIv0=; b=rAxy/CaQViEJ0ZW0PFRvmHon9/6Q1ApYuHJ261eTJ3DJY13hHxLgNJAr5oqFvV1NOV 4FciOSTRttb6fLrsGjun59fJZpuP6YbpizNDVoNJZTdTTERJ/8GxphNG8UqlV5ppMuz+ 314xRRlCQrkv0RskFs1MubG1CDA6mdJ5VniWBYQRYQhYShzkEieKPVPkU0hlrOhyZKjR O2CkdvDNUX/vir9JFj8tw/buhpqL/FVmYeSM0+3Pm+uZMLPBycgaOtwC1le6Uia+zMbS cCoWNxDaNcABSfEDfhvboZ8uDdmAhZbjgVBdAzx0jWAnaWYiA6zfPJFywkISf54eNkLu RQYg== X-Gm-Message-State: AOJu0YzZ2HsCSn5aYjUVQwI7zcRsZEmCPRpLGjJbtptRRYAG8oqSP1dx FR3vTPB/IlsjBpD+OLJOW1fthEozKe1X1mxORL3pvc6Ktj7hsfoP/KheU1xi4JscscltxzoGW9L evXlKfHjC65eoKUXXQN54kbqFjfwfrat2vhbA+1s= X-Gm-Gg: ASbGnctAdmUkmCAjJY5O04VBKw41WpWiRu229UTzV6fTueKyehIxDFxbjfWToz2beXQ gftwQKaNR/iFqcBuopESAQjFk2itetuNa31Y+2qRLVsjKfiYSu1bVUqgSjhJ38qkt9kKTlASkXi jjn/8KdraP+PchkzzcnFQGRVs75DYGh3Ow4ntS7JExwXYuxSi/WhFqGkY= X-Google-Smtp-Source: AGHT+IF3uGXKC5+2Lms9Wv1KntiNtVf0JZx4oaaS/k4a5g3kpSnCWSSv6ovhkMxLVAq3m93PMfASU5mRBTj1xdERvVM= X-Received: by 2002:a05:6a00:22cb:b0:742:3cc1:9485 with SMTP id d2e1a72fcca58-747bd98230bmr1988206b3a.12.1748564726334; Thu, 29 May 2025 17:25:26 -0700 (PDT) MIME-Version: 1.0 From: Zephyr official Date: Fri, 30 May 2025 01:25:14 +0100 X-Gm-Features: AX0GCFtaWC7SGIYavhSp1GP3Z7-zemklKm_TCE2taoH2gLagrNUqYswN0v4QygI Message-ID: Subject: Uninitialised read in check_zipfile() (gzip 1.14) To: bug-gzip@gnu.org Content-Type: multipart/alternative; boundary="00000000000061493c06364f73a3" Received-SPF: pass client-ip=2607:f8b0:4864:20::42b; envelope-from=zephyrofficialdiscord@gmail.com; helo=mail-pf1-x42b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Thu, 29 May 2025 23:58:20 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --00000000000061493c06364f73a3 Content-Type: text/plain; charset="UTF-8" Hi gzip maintainers, An out-of-bounds / uninitialised read occurs in unzip.c:check_zipfile() when the PKZIP local header is shorter than 30 bytes (CWE-457, CWE-125). Reproduction (on 1.14, Linux x86-64, gcc 13.3): printf '%s' \ 504B0304 1400 0000 0000 0000 0000 00000000 \ 01000000 01000000 | xxd -r -p > poc.zip valgrind --track-origins=yes ./gzip -tv poc.zip # conditional jump depends on uninitialised value(s) in check_zipfile() Minimal fix: --- a/unzip.c +++ b/unzip.c @@ uch *h = inbuf + inptr; + if (insize - inptr < LOCHDR) /* need full header */ + goto bad_zip; inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT); Best regards, Mohamed Maatallah --00000000000061493c06364f73a3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi gzip maintainers,

An out-of-bounds / uninitialis= ed read occurs in unzip.c:check_zipfile()
when the PKZIP local header is= shorter than 30 bytes (CWE-457, CWE-125).

Reproduction (on 1.14, Li= nux x86-64, gcc 13.3):

=C2=A0 =C2=A0 printf '%s' \
=C2=A0= =C2=A0 =C2=A0 504B0304 1400 0000 0000 0000 0000 00000000 \
=C2=A0 =C2= =A0 =C2=A0 01000000 01000000 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 | xxd -r -p= > poc.zip

=C2=A0 =C2=A0 valgrind --track-origins=3Dyes ./gzip -t= v poc.zip
=C2=A0 =C2=A0 # conditional jump depends on uninitialised valu= e(s) in check_zipfile()

Minimal fix:

--- a/unzip.c
+++ b/u= nzip.c
@@
=C2=A0 =C2=A0 =C2=A0uch *h =3D inbuf + inptr;
+ =C2=A0 = =C2=A0if (insize - inptr < LOCHDR) =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/* = need full header */
+ =C2=A0 =C2=A0 =C2=A0 =C2=A0goto bad_zip;
=C2=A0= =C2=A0 =C2=A0inptr +=3D LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);

B= est regards,
Mohamed Maatallah
--00000000000061493c06364f73a3-- From debbugs-submit-bounces@debbugs.gnu.org Fri May 30 02:10:34 2025 Received: (at 78639-done) by debbugs.gnu.org; 30 May 2025 06:10:34 +0000 Received: from localhost ([127.0.0.1]:44102 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uKswp-0003kZ-4h for submit@debbugs.gnu.org; Fri, 30 May 2025 02:10:34 -0400 Received: from mail.cs.ucla.edu ([131.179.128.66]:59732) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uKswk-0003jz-38 for 78639-done@debbugs.gnu.org; Fri, 30 May 2025 02:10:29 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id 902403C010841; Thu, 29 May 2025 23:10:19 -0700 (PDT) Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP id SznRjg0RN68V; Thu, 29 May 2025 23:10:19 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id 67ABF3C0149CF; Thu, 29 May 2025 23:10:19 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 67ABF3C0149CF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu; s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1748585419; bh=ABURa39XAGJAmj9vmoLXUY0lGJZ0YALeojK8Nj+Cwco=; h=Message-ID:Date:MIME-Version:To:From; b=MyAUXJtRvorFn8Gf0ZB3MuEABhzqJdSp9f6DDnJqulWKv+iXaRdh1yaLgfkU5ZEHK BVjgVhm9bj9Uq+L6p2NegdlGJY8GMxFAr6PaOAiI+kg6bKBMM2uWafxJZckbS892NR 4QN84UDEB55+mXKjOvQoyFYQeOlUBBQKWzWu9J/cyNXSTedkIBUByvUYBdsOWJaxY+ hXUEqbKl/RJnWIJNGijrlQ3xFrz8udAASZhFlVgpQ1RQoc1iFEC5LsLuyjz1Yx8HZm +JJQDOLdgkWWGiyggFrXIWaPbg4OBI2Cnw1c5npkO3DXVwRM84vUVFk8TjvI3E++iv S2sgqIkFEd+yA== X-Virus-Scanned: amavis at mail.cs.ucla.edu Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP id awpBDgVhP7WO; Thu, 29 May 2025 23:10:19 -0700 (PDT) Received: from penguin.cs.ucla.edu (unknown [47.143.215.226]) by mail.cs.ucla.edu (Postfix) with ESMTPSA id 404103C010841; Thu, 29 May 2025 23:10:19 -0700 (PDT) Content-Type: multipart/mixed; boundary="------------rSCZlHfUSnbt1fcrACjJ8u2k" Message-ID: <9e53cf8c-5694-45e8-a76d-5394c05dd6e2@cs.ucla.edu> Date: Thu, 29 May 2025 23:10:18 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14) To: Zephyr official References: Content-Language: en-US From: Paul Eggert Organization: UCLA Computer Science Department In-Reply-To: X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78639-done Cc: 78639-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --------------rSCZlHfUSnbt1fcrACjJ8u2k Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Thanks for the bug report and proposed fix. I installed the attached, which should fix the gzip bug in a different way. I think the bug is innocuous in practice, but it's good to fix it anyway as these things tend to mushroom. --------------rSCZlHfUSnbt1fcrACjJ8u2k Content-Type: text/x-patch; charset=UTF-8; name="0001-gzip-fix-uninitialized-read.patch" Content-Disposition: attachment; filename="0001-gzip-fix-uninitialized-read.patch" Content-Transfer-Encoding: base64 RnJvbSBjNWU3ODk5NzFkZmJjOTk5Y2RlNWQxY2U1MjZhNDQyMjMxMDYxN2I4IE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBUaHUsIDI5IE1heSAyMDI1IDIzOjA2OjE5IC0wNzAwClN1YmplY3Q6IFtQQVRD SF0gZ3ppcDogZml4IHVuaW5pdGlhbGl6ZWQgcmVhZApNSU1FLVZlcnNpb246IDEuMApDb250 ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9VVRGLTgKQ29udGVudC1UcmFuc2Zlci1F bmNvZGluZzogOGJpdAoKUHJvYmxlbSByZXBvcnRlZCBieSBNb2hhbWVkIE1hYXRhbGxhaCA8 aHR0cHM6Ly9idWdzLmdudS5vcmcvNzg2Mzk+LgoqIHVuemlwLmMgKGNoZWNrX3ppcGZpbGUp OgpEb27igJl0IHJlYWQgcGFzdCBlbmQgb2YgaW5pdGlhbGl6ZWQgZGF0YSBpbiB0aGUgaW5w dXQgYnVmZmVyLgotLS0KIE5FV1MgICAgfCA1ICsrKysrCiBUSEFOS1MgIHwgMSArCiB1bnpp cC5jIHwgNCArKystCiAzIGZpbGVzIGNoYW5nZWQsIDkgaW5zZXJ0aW9ucygrKSwgMSBkZWxl dGlvbigtKQoKZGlmZiAtLWdpdCBhL05FV1MgYi9ORVdTCmluZGV4IDE2OTg0MDEuLjliZTFh ODcgMTAwNjQ0Ci0tLSBhL05FV1MKKysrIGIvTkVXUwpAQCAtMiw2ICsyLDExIEBAIEdOVSBn emlwIE5FV1MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtKi0gb3V0bGlu ZSAtKi0KIAogKiBOb3Rld29ydGh5IGNoYW5nZXMgaW4gcmVsZWFzZSA/Lj8gKD8/Pz8tPz8t Pz8pIFs/XQogCisqKiBCdWcgZml4ZXMKKworICBBIHVzZSBvZiB1bmluaXRpYWxpemVkIG1l bW9yeSBvbiBzb21lIG1hbGZvcm1lZCBpbnB1dHMgaGFzIGJlZW4gZml4ZWQuCisgIFtidWcg cHJlc2VudCBzaW5jZSB0aGUgYmVnaW5uaW5nXQorCiAKICogTm90ZXdvcnRoeSBjaGFuZ2Vz IGluIHJlbGVhc2UgMS4xNCAoMjAyNS0wNC0wOSkgW3N0YWJsZV0KIApkaWZmIC0tZ2l0IGEv VEhBTktTIGIvVEhBTktTCmluZGV4IDYzNzNmZWEuLjRlNTQ1ZDkgMTAwNjQ0Ci0tLSBhL1RI QU5LUworKysgYi9USEFOS1MKQEAgLTE4NCw2ICsxODQsNyBAQCBEYXZpZCBSLiBMaW5uCQlk cmxAdnVzZS52YW5kZXJiaWx0LmVkdQogQW50b25pbyBMaW95ICAgICAgICAgICAgY2F0QGF0 aGVuYS5wb2xpdG8uaXQKIEphbWllIExva2llciAgICAgICAgICAgIHU5MGpsQGVjcy5veGZv cmQuYWMudWsKIFJpY2hhcmQgTGxveWQgICAgICAgICAgIFIuSy5MbG95ZEBjc2MubGl2LmFj LnVrCitNb2hhbWVkIE1hYXRhbGxhaAl6ZXBoeXJvZmZpY2lhbGRpc2NvcmRAZ21haWwuY29t CiBEYXZpZCBKLiBNYWNLZW56aWUJZGptQGVuZy51bWQuZWR1CiBKb2huIFIgTWFjTWlsbGFu ICAgICAgICBqb2huQGNoYW5jZS5ndHMub3JnCiBSb24gTWFsZSAgICAgICAgICAgICAgICBt YWxlQGVzby5tYy54ZXJveC5jb20KZGlmZiAtLWdpdCBhL3VuemlwLmMgYi91bnppcC5jCmlu ZGV4IDk4ODA0MDguLjFiZDljYTcgMTAwNjQ0Ci0tLSBhL3VuemlwLmMKKysrIGIvdW56aXAu YwpAQCAtNjksNyArNjksOSBAQCBjaGVja196aXBmaWxlIChpbnQgaW4pCiAgICAgaWZkID0g aW47CiAKICAgICAvKiBDaGVjayB2YWxpZGl0eSBvZiBsb2NhbCBoZWFkZXIsIGFuZCBza2lw IG5hbWUgYW5kIGV4dHJhIGZpZWxkcyAqLwotICAgIGlucHRyICs9IExPQ0hEUiArIFNIKGgg KyBMT0NGSUwpICsgU0goaCArIExPQ0VYVCk7CisgICAgaW5wdHIgKz0gTE9DSERSOworICAg IGlmIChpbnB0ciA8PSBpbnNpemUpCisgICAgICBpbnB0ciArPSBTSChoICsgTE9DRklMKSAr IFNIKGggKyBMT0NFWFQpOwogCiAgICAgaWYgKGlucHRyID4gaW5zaXplIHx8IExHKGgpICE9 IExPQ1NJRykgewogICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIlxuJXM6ICVzOiBub3QgYSB2 YWxpZCB6aXAgZmlsZVxuIiwKLS0gCjIuNDguMQoK --------------rSCZlHfUSnbt1fcrACjJ8u2k-- From debbugs-submit-bounces@debbugs.gnu.org Fri May 30 09:16:23 2025 Received: (at 78639) by debbugs.gnu.org; 30 May 2025 13:16:23 +0000 Received: from localhost ([127.0.0.1]:47583 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uKzax-0003oY-3U for submit@debbugs.gnu.org; Fri, 30 May 2025 09:16:23 -0400 Received: from mail-pf1-x432.google.com ([2607:f8b0:4864:20::432]:52693) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uKzav-0003o8-1q for 78639@debbugs.gnu.org; Fri, 30 May 2025 09:16:21 -0400 Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-742b0840d98so1368623b3a.1 for <78639@debbugs.gnu.org>; Fri, 30 May 2025 06:16:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748610974; x=1749215774; darn=debbugs.gnu.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=+sgr4I33v0Fx3e9bCj63V8TSOHQivhL3vVV+5elDXkw=; b=GfyryRLSakHvOPELFcpDLYeZWXbqtLfRECC9MJ+GB9CCF7kEP67HeZqHUJMGxghaaH PmsHDf28V+gscjAswt3lp0ilc9muhWdSiIfGqWV82HgfxtFKfGdykHOW08XHiEIGrg8k lxGslngdLtNRARMvCC7BwV2OnINazgC4PVOZuMfAx/XgJ3taVoApqrIZyNZz2il2zwH/ 8l7w6IyenzCvx1U+ronQYTj2oT5raf/v3Vt+ywBvJ3aHkGYVxXGu/JaM1ACeIh3tiDOn grO9aJ8XFGskjNx1pidaJSnIXdadyJ9D5d+b/EHIvxNri6dKCTMnacckpNwhJtXspYII h2BA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748610974; x=1749215774; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+sgr4I33v0Fx3e9bCj63V8TSOHQivhL3vVV+5elDXkw=; b=FFHuSFNZFgiiV0LZyB88YCYYHENivYeI4AjQcIXC82tDi1YcICPDkyjWrbSIsT2G2T l2jbxjSRCDTT7kXQYjQKjFyf8fg8LMDC3r7cqsz0JOugyuOXy4Bosm3g9rNaSyH7oMnM Yw72dSV/gTWjxUpkmZ3Ul8h0aMeeOWQNSeXGM8g+aX+CPeWWvT1jd+qRT2kyIpC7pAf4 Vu6obVK1sDhuTUnLIwf6IHn9kpMoC2NMGzVdNhdWQrV/UxByzQC2eMMenc4v6wUAMtsf spzB545gDUEWU4KQzq+XCIVnE20a+4AJcImbSmNozI6Yk/faxceq4wqaJQuD7ffmwEBR YdDg== X-Gm-Message-State: AOJu0YzoSie2Wanp5GdEG9mcrE8V+omML9K+WaA3tvBnpbhk1bo2cfzG xeghgkpIdXsjHVhApxHr0o+GU3vDjdG8S3VRAgoWVDCYfYjEu09YPJK3yuWm0If10gIK2Bpwjs/ KVx73OpCKgASunha5F0tvKv7ZjzOx2WXB2KDK/OI= X-Gm-Gg: ASbGncv02+z12hPracSq0R6N0GEDp43H5x1NFW+ipNxj2JwccCi5QrZkajjoOiCfpM1 uzUAJ9p8mzPtWJuu2n0t+RGHbcXXS0Gh40mkHaGW5Yl/mN8YzKTdytthfY+pgGNRmYzEEcCEpDV FP49iJencQoF+pI3zlf1A0btKZkH+U/R65oJiphLTs9WwC X-Google-Smtp-Source: AGHT+IHPPEHlYTqNApOCVlZp/uzvgdY0qQ0wXPPomc54Z8e6h3cNA74WSwNvShKXex5OhsdneBzZwmP2CWNqVywf0Xo= X-Received: by 2002:aa7:88c2:0:b0:746:2ad2:f38d with SMTP id d2e1a72fcca58-747c1bf2fc1mr2860879b3a.13.1748610974109; Fri, 30 May 2025 06:16:14 -0700 (PDT) MIME-Version: 1.0 From: Zephyr official Date: Fri, 30 May 2025 14:16:03 +0100 X-Gm-Features: AX0GCFsDhPMntpdLe4doFEdBcGDh98LxSLWRwsPtc8l4-kSJsWOMRc5_Y6icbeg Message-ID: Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14) To: 78639@debbugs.gnu.org Content-Type: multipart/alternative; boundary="000000000000f6523606365a3747" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78639 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --000000000000f6523606365a3747 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Paul, Thanks for the patch and for looking into this. I've been digging a bit further into the interaction. Your patch `c5e7899` tightens the bounds for `SH(h + LOCFIL)` and `SH(h + LOCEXT)` within `check_zipfile()`, but there appears to be an uninitialized read of inbuf[3] during the initial PKZIP magic number check in `gzip.c:get_method()` also. This occurs when `DYN_ALLOC` is active (making `inbuf` uninitialized heap) and `insize` is precisely 3 due to a short input like PK\x03. The memcmp((char*)inbuf, PKZIP_MAGIC, 4) in `get_method() will access inbuf[3] before check_zipfile() is even invoked for that path. This can be demonstrated with: printf "\x50\x4B\x03" > trigger.dat # Assuming gzip compiled with DYN_ALLOC and your patch c5e7899 valgrind --track-origins=3Dyes ./gzip -tv trigger.dat Best regards, Mohamed Maatallah On Fri, May 30, 2025 at 7:10=E2=80=AFAM Paul Eggert wr= ote: > Thanks for the bug report and proposed fix. I installed the attached, > which should fix the gzip bug in a different way. > > I think the bug is innocuous in practice, but it's good to fix it anyway > as these things tend to mushroom. --000000000000f6523606365a3747 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi Paul,

Thanks for the patch = and for looking into this.

I've been digging a bit further into = the interaction. Your patch `c5e7899` tightens the bounds for `SH(h + LOCFI= L)` and `SH(h + LOCEXT)` within `check_zipfile()`, but there appears to be = an uninitialized read of inbuf[3] during the initial PKZIP magic number che= ck in `gzip.c:get_method()` also.

This occurs when `DYN_ALLOC` is ac= tive (making `inbuf` uninitialized heap) and `insize` is precisely 3 due to= a short input like PK\x03. The memcmp((char*)inbuf, PKZIP_MAGIC, 4) in `ge= t_method()=C2=A0 will access inbuf[3] before check_zipfile() is even invoke= d for that path.

This can be demonstrated with:

printf "= \x50\x4B\x03" > trigger.dat
# Assuming gzip compiled with DYN_AL= LOC and your patch c5e7899
valgrind --track-origins=3Dyes ./gzip -tv tri= gger.dat

Best regards,
Mohamed Maatallah

On Fri, May 30, 2025 at 7= :10=E2=80=AFAM Paul Eggert <eggert@cs.ucla.edu> wrote:
Thanks for the bug report and proposed fix. I= installed the attached,
which should fix the gzip bug in a different way.

I think the bug is innocuous in practice, but it's good to fix it anywa= y
as these things tend to mushroom.
--000000000000f6523606365a3747-- From debbugs-submit-bounces@debbugs.gnu.org Fri May 30 15:28:21 2025 Received: (at 78639) by debbugs.gnu.org; 30 May 2025 19:28:22 +0000 Received: from localhost ([127.0.0.1]:50864 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uL5Ov-0006Ax-Gj for submit@debbugs.gnu.org; Fri, 30 May 2025 15:28:21 -0400 Received: from mail.cs.ucla.edu ([131.179.128.66]:34078) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uL5Ot-0006AU-3c for 78639@debbugs.gnu.org; Fri, 30 May 2025 15:28:20 -0400 Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id A324C3C0149D7; Fri, 30 May 2025 12:28:12 -0700 (PDT) Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP id Y7KFBhw_tuBw; Fri, 30 May 2025 12:28:12 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id 7BA8C3C0149E2; Fri, 30 May 2025 12:28:12 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 7BA8C3C0149E2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu; s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1748633292; bh=/jO8u5rgKMR+G3YlUjCABJIM/TYMDiDRHtrvcxZ5+tg=; h=Message-ID:Date:MIME-Version:To:From; b=TUoW4npgahs0Vm4/4TMiK5S0D84XaNBP4pUF3cOm6xSkxMPnZ3xI5bLEPhjA5oEOQ aleAF86PwMtsSl+tpyJ3nmghuiVgmD2mz/Q9dMdjed4r9nBjHc6AAiwTSojLx/q2R3 NesPti+yPfgRtO81yvn6eSfC35arKFuHyIYwBEg6J2mg7AVAXSxM8fbTXBHc+FKsYW hfJa0gF+MbMERf69Y2J7h1b/A2oRzi7OxbmtCGsCzQoCjmjo7FjnxeR40HY9mMlDIs cRUKjRMXHuXIAk+E3/OvbQ5YUJjn5/6FN52Bf4wcW+htQI1zZxCSVwnD8qJsncZQlV xerN1yajN0SBQ== X-Virus-Scanned: amavis at mail.cs.ucla.edu Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP id FBxCI6g0S2Ot; Fri, 30 May 2025 12:28:12 -0700 (PDT) Received: from penguin.cs.ucla.edu (47-143-215-226.fdr01.snmn.ca.ip.frontiernet.net [47.143.215.226]) by mail.cs.ucla.edu (Postfix) with ESMTPSA id 5DB2A3C0149D7; Fri, 30 May 2025 12:28:12 -0700 (PDT) Content-Type: multipart/mixed; boundary="------------hRLL0O1YynxC6bzmKTbTTFFV" Message-ID: Date: Fri, 30 May 2025 12:28:12 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14) To: Zephyr official References: Content-Language: en-US From: Paul Eggert Organization: UCLA Computer Science Department In-Reply-To: X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78639 Cc: 78639@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) This is a multi-part message in MIME format. --------------hRLL0O1YynxC6bzmKTbTTFFV Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Thanks, I installed the attached additional patch. --------------hRLL0O1YynxC6bzmKTbTTFFV Content-Type: text/x-patch; charset=UTF-8; name="0001-gzip-fix-another-uninitialized-read.patch" Content-Disposition: attachment; filename="0001-gzip-fix-another-uninitialized-read.patch" Content-Transfer-Encoding: base64 RnJvbSBiMWRlMGU3ODJhMjkxYzQ2ZTI2Nzc3MDA1ODkzZWVjYTE0MmUwNDkwIE1vbiBTZXAg MTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQYXVsIEVnZ2VydCA8ZWdnZXJ0QGNzLnVjbGEuZWR1 PgpEYXRlOiBGcmksIDMwIE1heSAyMDI1IDEyOjIzOjQyIC0wNzAwClN1YmplY3Q6IFtQQVRD SF0gZ3ppcDogZml4IGFub3RoZXIgdW5pbml0aWFsaXplZCByZWFkCk1JTUUtVmVyc2lvbjog MS4wCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD1VVEYtOApDb250ZW50LVRy YW5zZmVyLUVuY29kaW5nOiA4Yml0CgpUaGlzIGNhbiBvY2N1ciBpZiB5b3UgZGVmaW5lIERZ TkFMTE9DLgpQcm9ibGVtIHJlcG9ydGVkIGJ5IE1vaGFtZWQgTWFhdGFsbGFoIDxodHRwczov L2J1Z3MuZ251Lm9yZy83ODYzOSMxMz4uCiogZ3ppcC5jIChnZXRfbWV0aG9kKTogRG9u4oCZ dCBtZW1jbXAgbW9yZSBieXRlcyB0aGFuIHdlcmUgcmVhZC4KQWxzbywgbm8gbmVlZCB0byBk byB0d28gbWVtY21w4oCZcyBub3csIG9yIHRvIGNoZWNrIGlucHRyLgotLS0KIGd6aXAuYyB8 IDIgKy0KIDEgZmlsZSBjaGFuZ2VkLCAxIGluc2VydGlvbigrKSwgMSBkZWxldGlvbigtKQoK ZGlmZiAtLWdpdCBhL2d6aXAuYyBiL2d6aXAuYwppbmRleCA5MTNmYWZlLi4wMjMxZmZhIDEw MDY0NAotLS0gYS9nemlwLmMKKysrIGIvZ3ppcC5jCkBAIC0xNjA5LDcgKzE2MDksNyBAQCBn ZXRfbWV0aG9kIChpbnQgaW4pCiAgICAgICAgICAgICBoZWFkZXJfYnl0ZXMgPSBpbnB0ciAr IDIqNDsgLyogaW5jbHVkZSBjcmMgYW5kIHNpemUgKi8KICAgICAgICAgfQogCi0gICAgfSBl bHNlIGlmIChtZW1jbXAobWFnaWMsIFBLWklQX01BR0lDLCAyKSA9PSAwICYmIGlucHRyID09 IDIKKyAgICB9IGVsc2UgaWYgKDQgPD0gaW5zaXplCiAgICAgICAgICAgICAmJiBtZW1jbXAo KGNoYXIqKWluYnVmLCBQS1pJUF9NQUdJQywgNCkgPT0gMCkgewogICAgICAgICAvKiBUbyBz aW1wbGlmeSB0aGUgY29kZSwgd2Ugc3VwcG9ydCBhIHppcCBmaWxlIHdoZW4gYWxvbmUgb25s eS4KICAgICAgICAgICogV2UgYXJlIHRodXMgZ3VhcmFudGVlZCB0aGF0IHRoZSBlbnRpcmUg bG9jYWwgaGVhZGVyIGZpdHMgaW4gaW5idWYuCi0tIAoyLjQ4LjEKCg== --------------hRLL0O1YynxC6bzmKTbTTFFV-- From unknown Sun Aug 10 11:50:50 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 28 Jun 2025 11:24:14 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator