Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5456F860.5030909@redhat.com>
Date: Mon, 03 Nov 2014 14:37:04 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: unzip -t crasher

On 11/03/2014 05:06 AM, Jakub Wilk wrote:
> Latest American fuzzy lop[0] tarball[1] contains a zip file that crashes
> unzip -t:
>
> $ unzip -qt afl-0.43b/docs/samples/unzip_t_malloc.zip
> foo/:  mismatching "local" filename (™/UT),
>          continuing with "central" filename version
> *** Error in `unzip': free(): corrupted unsorted chunks:
> 0x00000000015d0170 ***
>
> I'm not sure if inclusion of said zip file was intentional, but since
> the cat is already out of the bag, I thought I'll let you know.
>
> [0] https://code.google.com/p/american-fuzzy-lop/
> [1] http://lcamtuf.coredump.cx/afl.tgz
>

Hi,

I had a quick look at unzip-6.0-12.fc20. It did not crash there for me 
but there are invalid reads and an invalid write.

For the invalid write, the problem may manifest here in memextract():

2282             memcpy((char *)tgt, (char *)G.inptr, (extent)G.incnt);

On my system, G.incnt was 52729.

Cheers,

--
Murray McAllister / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.