[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PRE-SA-2012-02] Incorrect loop construct and numeric overflow in libzip

PRE-CERT Security Advisory

* Advisory: PRE-SA-2012-02
* Released on: 21st March 2012
* Affected products: libzip <= 0.10
                     PHP 5.4.0
                     PHP <= 5.3.10
                     zipruby <= 0.3.6
* Impact: heap overflow, information leak
* Credit: - Thomas Klausner
          - Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: - CVE-2012-1162
                  - CVE-2012-1163


libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.

* CVE-2012-1162

    libzip (version <= 0.10) uses an incorrect loop construct, which can
    result in a heap overflow on corrupted zip files.
    On opening a zip file with zip_open, libzip reads in the number of
    directory entries in the function _zip_readcdir in zip_open.c:

    (192)    /* number of cdir-entries */
    (193)    nentry = _zip_read2(&cdp);

    Subsequently, memory for directory entries is allocated via
    _zip_cdir_new (in zip_dirent.c) based on the number of directory

    (104)    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))

    If the number of directories in the zip file is set to 0, 0 bytes of
    memory are allocated.

    _zip_readcdir finishes with reading in the directory entries in
    a posttest do-while loop:

    (260)    do {
    (261)        if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
    (277)    } while (i<cd->nentry && left > 0);

    If cd->entry points to 0 bytes of allocated memory, _zip_dirent
    writes beyond the allocated memory.

* CVE-2012-1163

    libzip (version <= 0.10) has a numeric overflow condition, which,
    for example, results in improper restrictions of operations within
    the bounds of a memory buffer (e.g., allowing information leaks).

    On opening a zip file with zip_open, libzip reads in the size and the
    offset of the central directory structure in the function _zip_readcdir
    in zip_open.c:

    (198)    cd->size = _zip_read4(&cdp);
    (199)    cd->offset = _zip_read4(&cdp);

    libzip performs a consistency check on these values, but does not
    anticipate an integer overflow:

    (203)    if (cd->offset+cd->size > buf_offset + (eocd-buf)) {

    On an integer overflow, libzip continues to handle the zip file, which,
    for example, can result in improper restriction of operations within the
    bounds of a memory buffer.


The issue was fixed in the following versions:
    libzip 0.10.1

The issue was not fixed in PHP and zipruby yet.


When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:



PRE-CERT can be reached under precert@xxxxxxxxxxxxxx For PGP key
information, refer to http://www.pre-cert.de/.