Bug 422118 (cpni-zip)

Crash reading malformed zip [@nsZipArchive::BuildFileList]

RESOLVED FIXED

Status

()

Core
Networking: JAR
P2
normal
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: dveditz, Assigned: dveditz)

Tracking

(Blocks: 1 bug, {crash, testcase, verified1.8.1.15})

unspecified
x86
Windows XP
crash, testcase, verified1.8.1.15
Points:
---
Bug Flags:
blocking1.9 ?
blocking1.8.1.15 +
wanted1.8.1.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse dos] test URIs in comment 5 and 8, crash signature, URL)

Attachments

(6 attachments, 1 obsolete attachment)

(Assignee)

Description

9 years ago
Malformed zip directories can crash us. Appears safe, we read outside our buffer and die with an access violation, but in order to snoop on data in other owned buffers it would have to match up exactly with a ZIP "central directory" structure which is extremely unlikely.
Created attachment 308642 [details]
zip file that seems to crash

This seems to be a zip file that seems to crash Mozilla when trying to open it.
Created attachment 308643 [details]
script used to open the zip file

I used this script to open the zip file with.

Updated

9 years ago
Keywords: testcase
(Assignee)

Comment 3

9 years ago
Martijn's crash: bp-45371582-ef91-11dc-91a2-001a4bd46e84

I think that's probably the same as mine because my patched version doesn't crash on it, but a stock FF does.

You don't need to go through the rigamaroll of your script, though, it's enough to simply open the jar:
  jar:https://bugzilla.mozilla.org/attachment.cgi?id=308642!/
(requires setting network.jar.open-unsafe-types to true, or changing type of attachment to application/java-archive which I'll do for the bug)
(Assignee)

Updated

9 years ago
Attachment #308642 - Attachment mime type: application/zip → application/java-archive
(Assignee)

Comment 4

9 years ago
Created attachment 308664 [details]
invalid (overlong) extralen and commentlen
(Assignee)

Comment 5

9 years ago
testcase: in address bar enter
  jar:https://bugzilla.mozilla.org/attachment.cgi?id=308664!/
(Assignee)

Comment 6

9 years ago
Created attachment 308672 [details] [diff] [review]
patch WIP (1.8 branch version)

This fixes the above testcases but "work in progress" because there are other crashes in this testsuite covered by this bug.
(Assignee)

Comment 7

9 years ago
Created attachment 309512 [details]
testcase2

Second testcase, trying to view "!/fakerealsize.txt" will crash 1.8. Doesn't seem to crash trunk though.
(Assignee)

Comment 8

9 years ago
That is, the testcase URL is
  jar:https://bugzilla.mozilla.org/attachment.cgi?id=309512!/fakerealsize.txt
(Assignee)

Comment 9

9 years ago
Created attachment 309575 [details] [diff] [review]
Fix both problems (1.8 branch)
Attachment #308672 - Attachment is obsolete: true
Attachment #309575 - Flags: superreview?(bzbarsky)
Attachment #309575 - Flags: review?(cbiesinger)
(Assignee)

Comment 10

9 years ago
Created attachment 309577 [details] [diff] [review]
same for trunk
Attachment #309577 - Flags: superreview?(bzbarsky)
Attachment #309577 - Flags: review?(cbiesinger)
(Assignee)

Updated

9 years ago
Whiteboard: [sg:nse dos
Attachment #309577 - Flags: superreview?(bzbarsky) → superreview+
Attachment #309575 - Flags: superreview?(bzbarsky) → superreview+
(Assignee)

Comment 11

9 years ago
Requesting blocking FF3 -- CPNI is going to release their testsuite and it would be nicer to say "we don't crash" than to have to explain "trust us, they're safe crashes".
Flags: wanted1.8.1.x+
Flags: blocking1.9?
Flags: blocking1.8.1.14?
Whiteboard: [sg:nse dos → [sg:nse dos]
(Assignee)

Comment 12

9 years ago
The advisory has been released
https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html
(Assignee)

Updated

9 years ago
Group: security
Flags: in-testsuite?
Attachment #309575 - Flags: review?(cbiesinger) → review+
Attachment #309577 - Flags: review?(cbiesinger) → review+
(Assignee)

Updated

9 years ago
Attachment #309577 - Flags: approval1.9?
(Assignee)

Updated

9 years ago
Attachment #309575 - Flags: approval1.8.1.14?

Updated

9 years ago
Attachment #309577 - Flags: approval1.9? → approval1.9+
(Assignee)

Comment 13

9 years ago
Fix checked in on trunk
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Assignee)

Updated

9 years ago
Flags: blocking1.8.1.14? → blocking1.8.1.14+
(Assignee)

Comment 14

9 years ago
Comment on attachment 309575 [details] [diff] [review]
Fix both problems (1.8 branch)

approved for 1.8.1.14, a=dveditz for release-drivers
Attachment #309575 - Flags: approval1.8.1.14? → approval1.8.1.14+

Updated

9 years ago
Blocks: 413380
(Assignee)

Updated

9 years ago
Whiteboard: [sg:nse dos] → [sg:nse dos] test URIs in comment 5 and 8
(Assignee)

Updated

9 years ago
Keywords: fixed1.8.1.15
Verified fixed for 1.8 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre. 
Keywords: fixed1.8.1.15 → verified1.8.1.15
Crash Signature: [@nsZipArchive::BuildFileList]
You need to log in before you can comment on or make changes to this bug.