oss-sec mailing list archives
Re: SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip
From: Leo Famulari <leo () famulari name>
Date: Mon, 12 Feb 2018 17:31:47 -0500
On Thu, Feb 08, 2018 at 08:19:20AM +0100, SEC Consult Vulnerability Lab wrote:
1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035)
[...]
As already mentioned, modern compilers replace unsafe functions with safe alternatives as a defense in depth mechanism. This feature is called BOSC (Built-in object size checking) and is part of the FORTIFY_SOURCE=2 protection. The following link shows the source code (and vulnerability) inside the Ubuntu package: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/unzip/trusty-updates/view/head:/fileio.c#L1593
If you are not sure how to pass flags to the compiler when building UnZip 6.0 (the Makefile does not respect CFLAGS), you should export them as LOCAL_UNZIP in the build environment. Quoting 'unix/Makefile': # LOCAL_UNZIP is an environment variable that can be used to add default C flags # to your compile without editing the Makefile (e.g., -DDEBUG_STRUC, or -FPi87 # on PCs using Microsoft C). It took me a little too long to figure that out...
Attachment:
signature.asc
Description:
Current thread:
- SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip SEC Consult Vulnerability Lab (Feb 08)
- Re: SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip Solar Designer (Feb 08)
- Re: SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip Leo Famulari (Feb 12)