[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
fix for CVE-2010-0001, gzip-1.4 to be released shortly
From: |
Jim Meyering |
Subject: |
fix for CVE-2010-0001, gzip-1.4 to be released shortly |
Date: |
Wed, 20 Jan 2010 17:01:31 +0100 |
Here's the patch for CVE-2010-0001,
along with a test to exercise the offending code.
I expect to release gzip-1.4 within the next few hours.
>From a3db5806d012082b9e25cc36d09f19cd736a468f Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Sun, 10 Jan 2010 17:13:01 +0100
Subject: [PATCH 1/2] gzip -d: do not clobber stack for valid input on x86_64
* unlzw.c (unlzw): Avoid integer overflow.
Aki Helin reported the segfault along with an input to trigger the bug.
* NEWS (Bug fixes): Mention it.
---
NEWS | 5 +++++
THANKS | 1 +
unlzw.c | 3 ++-
3 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/NEWS b/NEWS
index 3e50762..747253f 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,11 @@ GNU gzip NEWS -*- outline
-*-
** Bug fixes
+ gzip -d could segfault and/or clobber the stack, possibly leading to
+ arbitrary code execution. This affects x86_64 but not 32-bit systems.
+ This fixes CVE-2010-0001.
+ For more details, see http://bugzilla.redhat.com/554418
+
gzip -d would fail with a CRC error for some valid inputs.
So far, the only valid input known to exhibit this failure was
compressed "from FAT filesystem (MS-DOS, OS/2, NT)". In addition,
diff --git a/THANKS b/THANKS
index 4725543..183d39c 100644
--- a/THANKS
+++ b/THANKS
@@ -97,6 +97,7 @@ Harald Hanche-Olsen address@hidden
Darrel R. Hankerson address@hidden
Mark Hanning-Lee address@hidden
Lars Hecking address@hidden
+Aki Helin address@hidden
Ruediger Helsch address@hidden
Mark C. Henderson address@hidden
Karl Heuer address@hidden
diff --git a/unlzw.c b/unlzw.c
index fb9ff76..8f8cbee 100644
--- a/unlzw.c
+++ b/unlzw.c
@@ -240,7 +240,8 @@ int unlzw(in, out)
int o;
resetbuf:
- e = insize-(o = (posbits>>3));
+ o = posbits >> 3;
+ e = o <= insize ? insize - o : 0;
for (i = 0 ; i < e ; ++i) {
inbuf[i] = inbuf[i+o];
--
1.6.6.516.gb72f
>From 3da56715dbc74c84b793f018a87e10992172f634 Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Mon, 11 Jan 2010 08:20:52 +0100
Subject: [PATCH 2/2] tests: exercise the segfault fix
* tests/helin-segv: New test.
* Makefile.am (TESTS): Add it.
---
Makefile.am | 1 +
tests/helin-segv | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+), 0 deletions(-)
create mode 100755 tests/helin-segv
diff --git a/Makefile.am b/Makefile.am
index 67dc18b..ac95615 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -104,6 +104,7 @@ check-local: $(FILES_TO_CHECK) $(bin_PROGRAMS) gzip.doc.gz
@echo 'Test succeeded.'
TESTS = \
+ tests/helin-segv \
tests/memcpy-abuse \
tests/trailing-nul \
tests/zdiff \
diff --git a/tests/helin-segv b/tests/helin-segv
new file mode 100755
index 0000000..d6b14f6
--- /dev/null
+++ b/tests/helin-segv
@@ -0,0 +1,37 @@
+#!/bin/sh
+# Before gzip-1.4, gzip -d would segfault on some inputs.
+
+# Copyright (C) 2010 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# limit so don't run it by default.
+
+if test "$VERBOSE" = yes; then
+ set -x
+ gzip --version
+fi
+
+: ${srcdir=.}
+. "$srcdir/tests/init.sh"; path_prepend_ .
+
+# This test case was provided by Aki Helin.
+printf '\037\235\220\0\0\0\304' > helin.gz || framework_failure
+printf '\0\0' > exp || framework_failure
+
+fail=0
+
+gzip -dc helin.gz > out || fail=1
+compare out exp || fail=1
+
+Exit $fail
--
1.6.6.516.gb72f
- fix for CVE-2010-0001, gzip-1.4 to be released shortly,
Jim Meyering <=