CVE-2015-1315 - Info-ZIP UnZip - Out-of-bounds Write

[William Robinet <william.robinet () conostix com>]

Dear oss-security list,

Here is an advisory [0] about a heap-based buffer overflow vulnerability
found in Info-Zip "UnZip" [1].
This was discovered on Ubuntu 14.04.1 LTS (amd64) with package unzip
version 6.0-9ubuntu1.2 with the help of afl [2].
This vulnerability could possibly lead to arbitrary code execution.

The problem lies in the "unix/unix.c:charset_to_intern()" function which
is part of the 06-unzip60-alt-iconv-utf8 patch (Ubuntu reference [3]).
It can be triggered during string conversion from CP866 to UTF-8 for
which the destination buffer is not large enough.

The problematic code is present in:
- Info-ZIP beta/development release version 6.10b
- Ubuntu unzip package (see version numbers in advisory [0])
- FreeBSD archivers/unzip port (depending on the port configuration)

Timeline:
20150210 - Ubuntu contacted, CVE assigned, disclosure date defined
20150211 - FreeBSD & Upstream contacted
20150212 - Openwall distros mailing list notified
20150217 - Public disclosure

An updated iconv patch (received from Ubuntu) is available at [4].

William
(Please note I'm not a member of the list)


[0]
  http://www.conostix.com/pub/adv/CVE-2015-1315-Info-ZIP-unzip-Out-of-bounds_Write.txt
[1]
  http://www.info-zip.org/UnZip.html
[2]
  american fuzzy lop - http://lcamtuf.coredump.cx/afl/
[3]
  Ubuntu iconv patch:
  http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-9ubuntu1.2.debian.tar.gz
    file debian/patches/06-unzip60-alt-iconv-utf8
[4]
  http://www.conostix.com/pub/adv/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch

-- 
GPG Key ID/Fingerprint:
    74C7A949/B509 4137 1353 A3FC 6A87  AA06 003F A3DF 74C7 A949

Conostix S.A.
4, Rue d'Arlon
L-8399 Windhof (Koerich)
T. +352 26 10 30 61
F. +352 26 10 30 62