Re: SEC Consult SA-20180207-0 :: Multiple buffer overflow vulnerabilities in InfoZip UnZip

[Leo Famulari <leo () famulari name>]

On Thu, Feb 08, 2018 at 08:19:20AM +0100, SEC Consult Vulnerability Lab wrote:
> 1) Heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035)

[...]

> As already mentioned, modern compilers replace unsafe functions with
> safe alternatives as a defense in depth mechanism.
> This feature is called BOSC (Built-in object size checking) and is part
> of the FORTIFY_SOURCE=2 protection.
> The following link shows the source code (and vulnerability) inside
> the Ubuntu package:
> http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/trusty/unzip/trusty-updates/view/head:/fileio.c#L1593

If you are not sure how to pass flags to the compiler when building UnZip 6.0
(the Makefile does not respect CFLAGS), you should export them as LOCAL_UNZIP in
the build environment. Quoting 'unix/Makefile':

# LOCAL_UNZIP is an environment variable that can be used to add default C flags
# to your compile without editing the Makefile (e.g., -DDEBUG_STRUC, or -FPi87
# on PCs using Microsoft C).

It took me a little too long to figure that out...

Attachment: signature.asc
Description: