CLD-450 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2014-9636 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) unzip
Deficiency Type SECURITY
Date Created 2018-07-05 09:34:53
Date Last Modified 2018-07-06 09:42:20

Version Specific Information:

Cucumber 1.0 i686 fixed in unzip-6.0-i686-4
Cucumber 1.0 x86_64 fixed in unzip-6.0-x86_64-4

Cucumber 1.1 i686 fixed in unzip-6.0-i686-4
Cucumber 1.1 x86_64 fixed in unzip-6.0-x86_64-4

Details:

=================================== Overview ===================================

unzip 6.0 allows remote attackers to cause a denial of service (out-of-bounds
read or write and crash) via an extra field with an uncompressed size smaller
than the compressed field size in a zip archive that advertises STORED method
compression. 

================================ Initial Report ================================

From http://seclists.org/oss-sec/2014/q4/1131:

Hello.

OOB access (both read and write) issues exist in test_compr_eb
(extract.c) that can result in application crash or other unspecified
impact.

This vulnerability can be triggered via crafted zip archives with extra
fields that advertise STORED method compression (i.e. no compression)
and have uncompressed field sizes smaller than the corresponding
compressed field sizes.

This issue is different from CVE-2014-8140 [1].

Please allocate a CVE identifier for this vulnerability.

--mancha


Timeline:

2014-10-24: Crasher bundled in afl
2014-11-02: Existence of crasher shared on OSS-SEC [2]
2014-11-03: Crasher analyzed and fix developed [3]
2014-11-03: Maintainer contacted [4]
2014-12-22: CVE requested

----
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8140
[2] http://seclists.org/oss-sec/2014/q4/489
[3] http://seclists.org/oss-sec/2014/q4/507
[4] http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450

============================ Additional Information ============================

See RedHat's analysis at https://bugzilla.redhat.com/show_bug.cgi?id=1184985.

================================= Our Analysis =================================

----- Affected Products -----
Unzip up to and including 6.0 are vulnerable. This includes unzip as originally
packged in Cucumber Linux 1.0, 1.1 and current (as of Fri Jul  6 09:00:53 EDT
2018).

----- Scope and Impact of this Vulnerability -----
Allows for a denial of service (application crash) or other unspecified impacts
when a user attempts to extract a maliciously crafted zip archive.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://bugzilla.redhat.com/attachment.cgi?id=990649.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt.