[Info-vax] unzip vulnerability with password-protected zip archives
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Thu Feb 8 13:08:02 EST 2018
"InfoZip's UnZip suffers from a heap-based buffer overflow when
uncompressing password protected ZIP archives. An attacker can exploit
this vulnerability to overwrite heap chunks to get arbitrary code
execution on the target system.
For newer builds the risk for this vulnerability is partially mitigated
because modern compilers automatically replace unsafe functions with
length checking variants of the same function (for example sprintf gets
replaced by sprintf_chk). This is done by the compiler at locations
were the length of the destination buffer can be calculated."
Note: The OpenVMS C compiler does not perform this mitigation, and
likely won't prior to the migration to clang/LLVM tool chain and
related VSI updates.
"Versions before and including 6.10 / 6.1c22 of InfoZip's Unzip have
been found to be vulnerable. Version 6.0 was the latest major release
at the time the security vulnerabilities were discovered. The next beta
version is 6.1c22 which has been tested as well."
CVE-2018-1000031,CVE-2018-1000032,CVE-2018-1000033,
CVE-2018-1000034,CVE-2018-1000035
https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
This case is fairly typical of the sorts of vulnerabilities that can
and variously do effect folks using OpenVMS, but that aren't reflected
in the CVE counts and related metrics. Which is part of why I'm
exceedingly skeptical around the validity of CVE count comparisons.
That's also entirely irrespective of the fact that zip and unzip should
have been in the base OpenVMS distro decades ago, too.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list