[PRE-SA-2012-02] Incorrect loop construct and numeric overflow in libzip Mar 27 2012 07:34AM
Timo Warns (Warns Pre-Sense DE)
PRE-CERT Security Advisory

* Advisory: PRE-SA-2012-02
* Released on: 21st March 2012
* Affected products: libzip <= 0.10
PHP 5.4.0
PHP <= 5.3.10
zipruby <= 0.3.6
* Impact: heap overflow, information leak
* Credit: - Thomas Klausner
- Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: - CVE-2012-1162
- CVE-2012-1163


libzip (version <= 0.10) has two vulnerabilities that may lead to a heap
overflow or an information leak via corrupted zip files. PHP (versions
5.4.0 and <= 5.3.10) and the Ruby binding zipruby (version <= 0.3.6) are
also affected as they include copies of affected libzip versions.

* CVE-2012-1162

libzip (version <= 0.10) uses an incorrect loop construct, which can
result in a heap overflow on corrupted zip files.

On opening a zip file with zip_open, libzip reads in the number of
directory entries in the function _zip_readcdir in zip_open.c:

(192) /* number of cdir-entries */
(193) nentry = _zip_read2(&cdp);

Subsequently, memory for directory entries is allocated via
_zip_cdir_new (in zip_dirent.c) based on the number of directory

(104) if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))

If the number of directories in the zip file is set to 0, 0 bytes of
memory are allocated.

_zip_readcdir finishes with reading in the directory entries in
a posttest do-while loop:

(260) do {
(261) if ((_zip_dirent_read(cd->entry+i, fp, bufp, &left, 0, error)) < 0) {
(277) } while (i<cd->nentry && left > 0);

If cd->entry points to 0 bytes of allocated memory, _zip_dirent
writes beyond the allocated memory.

* CVE-2012-1163

libzip (version <= 0.10) has a numeric overflow condition, which,
for example, results in improper restrictions of operations within
the bounds of a memory buffer (e.g., allowing information leaks).

On opening a zip file with zip_open, libzip reads in the size and the
offset of the central directory structure in the function _zip_readcdir
in zip_open.c:

(198) cd->size = _zip_read4(&cdp);
(199) cd->offset = _zip_read4(&cdp);

libzip performs a consistency check on these values, but does not
anticipate an integer overflow:

(203) if (cd->offset+cd->size > buf_offset + (eocd-buf)) {

On an integer overflow, libzip continues to handle the zip file, which,
for example, can result in improper restriction of operations within the
bounds of a memory buffer.


The issue was fixed in the following versions:

libzip 0.10.1

The issue was not fixed in PHP and zipruby yet.


When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:



PRE-CERT can be reached under precert (at) pre-secure (dot) de. [email concealed] For PGP key
information, refer to http://www.pre-cert.de/.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus