Internet Bug Bounty: CVE-2017-12858: Heap UAF in _zip_buffer_free() / Double free in _zip_dirent_read()

2017-08-1516:29:42

geeknik

hackerone.com

0.002 Low

EPSS

Percentile

61.5%

JSON

libzip is a C library for reading, creating, and modifying zip archives. A partial list of projects using libzip include: Plex Home Theater, MySQL Workbench, ckmame, fuse-zip, lua-zip, php zip extension, zipruby, Endeavour2, FreeDink, DeaDBeeF (vfs_zip plugin), OpenLierox, ebook-tools, PDF Expert, ReaddleDocs, simple basic C++ wrapper for libzip, libzip++ - safe and modern c++14 wrapper around libzip,Adobe (e.g., in Edge), PureBasic (ZipPacker), freebasic (ExtLibZip), Mercedes (S-Class), Kerkythea, G3D Innovation Engine, D’Fusion Studio, odt2tex - Libre/OpenOffice to LaTeX converter, Kobo eReader, Kchmviewer,Yubikey NEO CCID Manager C Library,Veracrypt, InstantZip, OpenRCT2 (RollerCoaster Tycoon 2 re-implementation)

Reported to the vendor on 9 June 2017 via email.
Fixed in their master code on 14 August 2017.
Vendor states it was a ‘Double Free’ in zip_dirent.c.
CVE requested on 14 August 2017.
CVE-2017-12858 assigned on 15 August 2017.

==19825==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000ece1 at pc 0x0000004fbbe9 bp 0x7ffd4ed8f250 sp 0x7ffd4ed8f248
READ of size 1 at 0x60300000ece1 thread T0
    #0 0x4fbbe8 in _zip_buffer_free /root/libzip/lib/zip_buffer.c:53:9
    #1 0x4ccdc5 in _zip_dirent_read /root/libzip/lib/zip_dirent.c:477:17
    #2 0x4dd766 in _zip_checkcons /root/libzip/lib/zip_open.c:469:6
    #3 0x4dc511 in _zip_find_central_dir /root/libzip/lib/zip_open.c:612:28
    #4 0x4dc511 in _zip_open /root/libzip/lib/zip_open.c:194
    #5 0x4da5d7 in zip_open_from_source /root/libzip/lib/zip_open.c:148:11
    #6 0x4d9a10 in zip_open /root/libzip/lib/zip_open.c:74:15
    #7 0x4bfa32 in list_zip /root/libzip/src/zipcmp.c:396:13
    #8 0x4bfa32 in compare_zip /root/libzip/src/zipcmp.c:225
    #9 0x4bfa32 in main /root/libzip/src/zipcmp.c:193
    #10 0x7fab6f292b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287
    #11 0x4bf29c in _start (/root/libzip/src/zipcmp+0x4bf29c)

0x60300000ece1 is located 1 bytes inside of 32-byte region [0x60300000ece0,0x60300000ed00)
freed by thread T0 here:
    #0 0x4a199b in free (/root/libzip/src/zipcmp+0x4a199b)
    #1 0x4fbbc0 in _zip_buffer_free /root/libzip/lib/zip_buffer.c:57:5
    #2 0x4dd766 in _zip_checkcons /root/libzip/lib/zip_open.c:469:6
    #3 0x4dc511 in _zip_find_central_dir /root/libzip/lib/zip_open.c:612:28
    #4 0x4dc511 in _zip_open /root/libzip/lib/zip_open.c:194
    #5 0x4da5d7 in zip_open_from_source /root/libzip/lib/zip_open.c:148:11
    #6 0x4d9a10 in zip_open /root/libzip/lib/zip_open.c:74:15
    #7 0x4bfa32 in list_zip /root/libzip/src/zipcmp.c:396:13
    #8 0x4bfa32 in compare_zip /root/libzip/src/zipcmp.c:225
    #9 0x4bfa32 in main /root/libzip/src/zipcmp.c:193
    #10 0x7fab6f292b44 in __libc_start_main /build/glibc-KShDyh/glibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x4a1c1b in __interceptor_malloc (/root/libzip/src/zipcmp+0x4a1c1b)
    #1 0x4fd07b in _zip_buffer_new /root/libzip/lib/zip_buffer.c:168:35
    #2 0x4fd07b in _zip_buffer_new_from_source /root/libzip/lib/zip_buffer.c:190
    #3 0x514487 in _fini (/root/libzip/src/zipcmp+0x514487)

SUMMARY: AddressSanitizer: heap-use-after-free /root/libzip/lib/zip_buffer.c:53 _zip_buffer_free

0.002 Low

EPSS

Percentile

61.5%

JSON

Related for H1:260414