Executive Summary

Summary
Title UnZip: User-assisted execution of arbitrary code
Informations
Name GLSA-200804-06 First vendor Publication 2008-04-06
Vendor Gentoo Last vendor Modification 2008-04-06
Severity (Vendor) Normal Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

A double free vulnerability discovered in UnZip might lead to the execution of arbitrary code.

Background

Info-ZIP's UnZip is a tool to list and extract files inside PKZIP compressed files.

Description

Tavis Ormandy of the Google Security Team discovered that the NEEDBITS macro in the inflate_dynamic() function in the file inflate.c can be invoked using invalid buffers, which can lead to a double free.

Impact

Remote attackers could entice a user or automated system to open a specially crafted ZIP file that might lead to the execution of arbitrary code or a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All UnZip users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/unzip-5.52-r2"

References

[ 1 ] CVE-2008-0888 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0888

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200804-06.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200804-06.xml

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:17758
 
Oval ID: oval:org.mitre.oval:def:17758
Title: USN-589-1 -- unzip vulnerability
Description: Tavis Ormandy discovered that unzip did not correctly clean up pointers.
Family: unix Class: patch
Reference(s): USN-589-1
CVE-2008-0888
 Version: 7
Platform(s): Ubuntu 6.06
Ubuntu 6.10
Ubuntu 7.04
Ubuntu 7.10
 Product(s): unzip
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20339
 
Oval ID: oval:org.mitre.oval:def:20339
Title: DSA-1522-1 unzip - potential code execution
Description: Tavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library's free routine, potentially leading to arbitrary code execution (<a href="http://security-tracker.debian.org/tracker/CVE-2008-0888">CVE-2008-0888</a>).
Family: unix Class: patch
Reference(s): DSA-1522-1
CVE-2008-0888
 Version: 5
Platform(s): Debian GNU/Linux 4.0
 Product(s): unzip
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8229
 
Oval ID: oval:org.mitre.oval:def:8229
Title: DSA-1522 unzip -- programming error
Description: Tavis Ormandy discovered that unzip, when processing specially crafted ZIP archives, could pass invalid pointers to the C library's free routine, potentially leading to arbitrary code execution (CVE-2008-0888).
Family: unix Class: patch
Reference(s): DSA-1522
CVE-2008-0888
 Version: 3
Platform(s): Debian GNU/Linux 4.0
Debian GNU/Linux 3.1
 Product(s): unzip
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9733
 
Oval ID: oval:org.mitre.oval:def:9733
Title: The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.
Description: The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data.
Family: unix Class: vulnerability
Reference(s): CVE-2008-0888
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
 Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2010-05-12 Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002
File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl
2009-04-09 Name : Mandriva Update for unzip MDVSA-2008:068 (unzip)
File : nvt/gb_mandriva_MDVSA_2008_068.nasl
2009-03-23 Name : Ubuntu Update for unzip vulnerability USN-589-1
File : nvt/gb_ubuntu_USN_589_1.nasl
2009-03-06 Name : RedHat Update for unzip RHSA-2008:0196-01
File : nvt/gb_RHSA-2008_0196-01_unzip.nasl
2009-02-27 Name : CentOS Update for unzip CESA-2008:0196-01 centos2 i386
File : nvt/gb_CESA-2008_0196-01_unzip_centos2_i386.nasl
2009-02-27 Name : CentOS Update for unzip CESA-2008:0196 centos3 i386
File : nvt/gb_CESA-2008_0196_unzip_centos3_i386.nasl
2009-02-27 Name : CentOS Update for unzip CESA-2008:0196 centos3 x86_64
File : nvt/gb_CESA-2008_0196_unzip_centos3_x86_64.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200804-06 (unzip)
File : nvt/glsa_200804_06.nasl
2008-03-19 Name : Debian Security Advisory DSA 1522-1 (unzip)
File : nvt/deb_1522_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
43332 UnZip inflate.c inflate_dynamic() Function NEEDBITS Macro Unspecified Code Ex...

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2008-0196.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing a security update.
File : sl_20080318_unzip_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2010-03-29 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2010-002.nasl - Type : ACT_GATHER_INFO
2009-07-27 Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2008-0009.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing a security update.
File : mandriva_MDVSA-2008-068.nasl - Type : ACT_GATHER_INFO
2008-04-11 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200804-06.nasl - Type : ACT_GATHER_INFO
2008-03-21 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1522.nasl - Type : ACT_GATHER_INFO
2008-03-21 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-589-1.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2008-0196.nasl - Type : ACT_GATHER_INFO
2008-03-19 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2008-0196.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:35:43
  • Multiple Updates