GNU bug report logs - #78639
Uninitialised read in check_zipfile() (gzip 1.14)

Previous Next

Package: gzip;

Reported by: Zephyr official <zephyrofficialdiscord <at> gmail.com>

Date: Fri, 30 May 2025 03:59:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

To reply to this bug, email your comments to 78639 AT debbugs.gnu.org.
There is no need to reopen the bug first.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gzip <at> gnu.org:
bug#78639; Package gzip. (Fri, 30 May 2025 03:59:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Zephyr official <zephyrofficialdiscord <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-gzip <at> gnu.org. (Fri, 30 May 2025 03:59:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Zephyr official <zephyrofficialdiscord <at> gmail.com>
To: bug-gzip <at> gnu.org
Subject: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Fri, 30 May 2025 01:25:14 +0100

[Message part 1 (text/plain, inline)]
Hi gzip maintainers,

An out-of-bounds / uninitialised read occurs in unzip.c:check_zipfile()
when the PKZIP local header is shorter than 30 bytes (CWE-457, CWE-125).

Reproduction (on 1.14, Linux x86-64, gcc 13.3):

    printf '%s' \
      504B0304 1400 0000 0000 0000 0000 00000000 \
      01000000 01000000           | xxd -r -p > poc.zip

    valgrind --track-origins=yes ./gzip -tv poc.zip
    # conditional jump depends on uninitialised value(s) in check_zipfile()

Minimal fix:

--- a/unzip.c
+++ b/unzip.c
@@
     uch *h = inbuf + inptr;
+    if (insize - inptr < LOCHDR)          /* need full header */
+        goto bad_zip;
     inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);

Best regards,
Mohamed Maatallah

[Message part 2 (text/html, inline)]
Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Fri, 30 May 2025 06:11:02 GMT) Full text and rfc822 format available.
Notification sent to Zephyr official <zephyrofficialdiscord <at> gmail.com>:
bug acknowledged by developer. (Fri, 30 May 2025 06:11:02 GMT) Full text and rfc822 format available.

Message #10 received at 78639-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Zephyr official <zephyrofficialdiscord <at> gmail.com>
Cc: 78639-done <at> debbugs.gnu.org
Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Thu, 29 May 2025 23:10:18 -0700

[Message part 1 (text/plain, inline)]
Thanks for the bug report and proposed fix. I installed the attached, 
which should fix the gzip bug in a different way.

I think the bug is innocuous in practice, but it's good to fix it anyway 
as these things tend to mushroom.
[0001-gzip-fix-uninitialized-read.patch (text/x-patch, attachment)]
Information forwarded to bug-gzip <at> gnu.org:
bug#78639; Package gzip. (Fri, 30 May 2025 13:17:03 GMT) Full text and rfc822 format available.

Message #13 received at 78639 <at> debbugs.gnu.org (full text, mbox):

From: Zephyr official <zephyrofficialdiscord <at> gmail.com>
To: 78639 <at> debbugs.gnu.org
Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Fri, 30 May 2025 14:16:03 +0100

[Message part 1 (text/plain, inline)]
Hi Paul,

Thanks for the patch and for looking into this.

I've been digging a bit further into the interaction. Your patch `c5e7899`
tightens the bounds for `SH(h + LOCFIL)` and `SH(h + LOCEXT)` within
`check_zipfile()`, but there appears to be an uninitialized read of
inbuf[3] during the initial PKZIP magic number check in
`gzip.c:get_method()` also.

This occurs when `DYN_ALLOC` is active (making `inbuf` uninitialized heap)
and `insize` is precisely 3 due to a short input like PK\x03. The
memcmp((char*)inbuf, PKZIP_MAGIC, 4) in `get_method()  will access inbuf[3]
before check_zipfile() is even invoked for that path.

This can be demonstrated with:

printf "\x50\x4B\x03" > trigger.dat
# Assuming gzip compiled with DYN_ALLOC and your patch c5e7899
valgrind --track-origins=yes ./gzip -tv trigger.dat

Best regards,
Mohamed Maatallah

On Fri, May 30, 2025 at 7:10 AM Paul Eggert <eggert <at> cs.ucla.edu> wrote:

> Thanks for the bug report and proposed fix. I installed the attached,
> which should fix the gzip bug in a different way.
>
> I think the bug is innocuous in practice, but it's good to fix it anyway
> as these things tend to mushroom.

[Message part 2 (text/html, inline)]
Information forwarded to bug-gzip <at> gnu.org:
bug#78639; Package gzip. (Fri, 30 May 2025 19:29:02 GMT) Full text and rfc822 format available.

Message #16 received at 78639 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Zephyr official <zephyrofficialdiscord <at> gmail.com>
Cc: 78639 <at> debbugs.gnu.org
Subject: Re: bug#78639: Uninitialised read in check_zipfile() (gzip 1.14)
Date: Fri, 30 May 2025 12:28:12 -0700

[Message part 1 (text/plain, inline)]
Thanks, I installed the attached additional patch.
[0001-gzip-fix-another-uninitialized-read.patch (text/x-patch, attachment)]
This bug report was last modified 7 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.