CVE-2012-1162 / -1163: Incorrect loop construct and numeric overflow in libzip

[Timo Warns <Warns () Pre-Sense DE>]

The following two issues in libzip have been handled via
distros () vs openwall org. Distros and the libzip developers were informed on
2012-03-12. An update of libzip has become available on 2012-03-20, the
appointed coordinated release date. The PHP and zipruby developers have been
informed before 2012-03-16, but have not released updates yet.

libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.

* CVE-2012-1162

    libzip (version <= 0.10) uses an incorrect loop construct, which can
    result in a heap overflow on corrupted zip files.
    
    On opening a zip file with zip_open, libzip reads in the number of
    directory entries in the function _zip_readcdir in zip_open.c:

    (192)    /* number of cdir-entries */
    (193)    nentry = _zip_read2(&cdp);

    Subsequently, memory for directory entries is allocated via
    _zip_cdir_new (in zip_dirent.c) based on the number of directory
    entries:

    (104)    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))

    If the number of directories in the zip file is set to 0, 0 bytes of
    memory are allocated.

    _zip_readcdir finishes with reading in the directory entries in
    a posttest do-while loop:

    (260)    do {
    (261)        if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
             ...
    (277)    } while (i<cd->nentry && left > 0);

    If cd->entry points to 0 bytes of allocated memory, _zip_dirent
    writes beyond the allocated memory.

* CVE-2012-1163

    libzip (version <= 0.10) has a numeric overflow condition, which,
    for example, results in improper restrictions of operations within
    the bounds of a memory buffer (e.g., allowing information leaks).

    On opening a zip file with zip_open, libzip reads in the size and the
    offset of the central directory structure in the function _zip_readcdir
    in zip_open.c:

    (198)    cd->size = _zip_read4(&cdp);
    (199)    cd->offset = _zip_read4(&cdp);

    libzip performs a consistency check on these values, but does not
    anticipate an integer overflow:

    (203)    if (cd->offset+cd->size > buf_offset + (eocd-buf)) {

    On an integer overflow, libzip continues to handle the zip file, which,
    for example, can result in improper restriction of operations within the
    bounds of a memory buffer.

Cheers, Timo