GNU bug report logs - #78639
Uninitialised read in check_zipfile() (gzip 1.14)

Previous Next

Package: gzip;

Reported by: Zephyr official <zephyrofficialdiscord <at> gmail.com>

Date: Fri, 30 May 2025 03:59:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Zephyr official <zephyrofficialdiscord <at> gmail.com>
Subject: bug#78639: closed (Re: bug#78639: Uninitialised read in
 check_zipfile() (gzip 1.14))
Date: Fri, 30 May 2025 06:11:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#78639: Uninitialised read in check_zipfile() (gzip 1.14)

which was filed against the gzip package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 78639 <at> debbugs.gnu.org.

-- 
78639: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78639
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Zephyr official <zephyrofficialdiscord <at> gmail.com>
Cc: 78639-done <at> debbugs.gnu.org
Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Thu, 29 May 2025 23:10:18 -0700

[Message part 3 (text/plain, inline)]
Thanks for the bug report and proposed fix. I installed the attached, 
which should fix the gzip bug in a different way.

I think the bug is innocuous in practice, but it's good to fix it anyway 
as these things tend to mushroom.
[0001-gzip-fix-uninitialized-read.patch (text/x-patch, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Zephyr official <zephyrofficialdiscord <at> gmail.com>
To: bug-gzip <at> gnu.org
Subject: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Fri, 30 May 2025 01:25:14 +0100

[Message part 6 (text/plain, inline)]
Hi gzip maintainers,

An out-of-bounds / uninitialised read occurs in unzip.c:check_zipfile()
when the PKZIP local header is shorter than 30 bytes (CWE-457, CWE-125).

Reproduction (on 1.14, Linux x86-64, gcc 13.3):

    printf '%s' \
      504B0304 1400 0000 0000 0000 0000 00000000 \
      01000000 01000000           | xxd -r -p > poc.zip

    valgrind --track-origins=yes ./gzip -tv poc.zip
    # conditional jump depends on uninitialised value(s) in check_zipfile()

Minimal fix:

--- a/unzip.c
+++ b/unzip.c
@@
     uch *h = inbuf + inptr;
+    if (insize - inptr < LOCHDR)          /* need full header */
+        goto bad_zip;
     inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);

Best regards,
Mohamed Maatallah

[Message part 7 (text/html, inline)]
This bug report was last modified 42 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.