GNU bug report logs - #78639
Uninitialised read in check_zipfile() (gzip 1.14)

Previous Next

Package: gzip;

Reported by: Zephyr official <zephyrofficialdiscord <at> gmail.com>

Date: Fri, 30 May 2025 03:59:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#78639: closed (Uninitialised read in check_zipfile() (gzip 1.14))
Date: Fri, 30 May 2025 06:11:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Thu, 29 May 2025 23:10:18 -0700
with message-id <9e53cf8c-5694-45e8-a76d-5394c05dd6e2 <at> cs.ucla.edu>
and subject line Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
has caused the debbugs.gnu.org bug report #78639,
regarding Uninitialised read in check_zipfile() (gzip 1.14)
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
78639: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78639
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Zephyr official <zephyrofficialdiscord <at> gmail.com>
To: bug-gzip <at> gnu.org
Subject: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Fri, 30 May 2025 01:25:14 +0100

[Message part 3 (text/plain, inline)]
Hi gzip maintainers,

An out-of-bounds / uninitialised read occurs in unzip.c:check_zipfile()
when the PKZIP local header is shorter than 30 bytes (CWE-457, CWE-125).

Reproduction (on 1.14, Linux x86-64, gcc 13.3):

    printf '%s' \
      504B0304 1400 0000 0000 0000 0000 00000000 \
      01000000 01000000           | xxd -r -p > poc.zip

    valgrind --track-origins=yes ./gzip -tv poc.zip
    # conditional jump depends on uninitialised value(s) in check_zipfile()

Minimal fix:

--- a/unzip.c
+++ b/unzip.c
@@
     uch *h = inbuf + inptr;
+    if (insize - inptr < LOCHDR)          /* need full header */
+        goto bad_zip;
     inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);

Best regards,
Mohamed Maatallah

[Message part 4 (text/html, inline)]
[Message part 5 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Zephyr official <zephyrofficialdiscord <at> gmail.com>
Cc: 78639-done <at> debbugs.gnu.org
Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Thu, 29 May 2025 23:10:18 -0700

[Message part 6 (text/plain, inline)]
Thanks for the bug report and proposed fix. I installed the attached, 
which should fix the gzip bug in a different way.

I think the bug is innocuous in practice, but it's good to fix it anyway 
as these things tend to mushroom.
[0001-gzip-fix-uninitialized-read.patch (text/x-patch, attachment)]
This bug report was last modified 44 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.