Bug 1103878 (CVE-2018-1000637) - VUL-0: CVE-2018-1000637: zutils: buffer overflow in zutils zcat
Summary: VUL-0: CVE-2018-1000637: zutils: buffer overflow in zutils zcat
Status: RESOLVED FIXED
Alias: CVE-2018-1000637
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-06 09:33 UTC by Marcus Meissner
Modified: 2019-08-14 14:43 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-08-06 09:33:26 UTC 
via oss-sec

From: Ben Hutchings <ben@decadent.org.uk>
Subject: [oss-security] Heap-based buffer overflow in zutils zcat

A heap-based buffer overflow (CWE-122) was discovered in the zutils
implementation of zcat.  It is apparently possible only if the -v
option, or one of the other options that implies -v, is used.

This seems to have been first discovered in 2016 as a result of
interaction between initramfs-tools and zutils, but was initially
thought to be a bug in the gzip implementation of zcat:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1507443
https://bugs.debian.org/815915

It was eventually reported to the zutils upstream developer (Antonio
Diaz Diaz, cc'd) in the last few weeks and was fixed in version
1.8-pre2.  This was announced in:
https://lists.nongnu.org/archive/html/zutils-bug/2018-08/msg00000.html

I will request a CVE ID for this.

Ben.
Comment 1 Luigi Baldoni 2018-08-06 10:36:37 UTC 
Fix submitted.
Comment 2 Marcus Meissner 2018-08-21 06:01:36 UTC 
can you also submit fixes for 42.3 and 15.0?
Comment 3 Luigi Baldoni 2018-08-21 13:44:10 UTC 
Done.
Comment 4 Swamp Workflow Management 2018-08-21 14:10:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1103878) was mentioned in
https://build.opensuse.org/request/show/630790 15.0+42.3 / zutils
https://build.opensuse.org/request/show/630793 15.0+42.3 / zutils
Comment 5 Andreas Stieger 2018-08-21 15:44:39 UTC 
Regarding the "zutils implementation of zcat":
I wonder if anyone can even use it? Installing it removes zypper, dracut, lvm, mdadm and all of YaST.

Problem: zutils-1.6-lp150.1.2.x86_64 conflicts with gzip provided by gzip-1.9-lp150.2.16.x86_64
 Solution 1: Following actions will be done:
  deinstallation of gzip-1.9-lp150.2.16.x86_64
[...]
  deinstallation of dracut-044.1-lp150.13.6.x86_64
[...]
  deinstallation of zypper-1.14.5-lp150.1.1.x86_64
[...]
  deinstallation of lvm2-2.02.177-lp150.5.1.x86_64
[...]
  deinstallation of yast2-4.0.79-lp150.2.6.1.x86_64
[...]
  deinstallation of mdadm-4.0-lp150.7.1.x86_64

So this is pretty much not testable as a maintenance update. 

Regarding the package content:

These binaries are also provided by gzip:
/usr/bin/zcat
/usr/bin/zcmp
/usr/bin/zdiff
/usr/bin/zegrep
/usr/bin/zfgrep
/usr/bin/zgrep

These are unique to zlib:
/usr/bin/ztest
/usr/bin/zupdate

For Factory, is this not a case for update-alternatives?

The package is a leaf in Factory for building, and no package appears to require it on Leap 15.0


Finally:
(In reply to Swamp Workflow Management from comment #4)
> This is an autogenerated message for OBS integration:
> https://build.opensuse.org/request/show/630793 15.0+42.3 / zutils

This contains more than the security fix. Is that required and if so what is the rationale? Just collect all upstream fixes?
Comment 6 Luigi Baldoni 2018-08-21 20:44:25 UTC 
(In reply to Andreas Stieger from comment #5)
> Regarding the "zutils implementation of zcat":
> I wonder if anyone can even use it? Installing it removes zypper, dracut,
> lvm, mdadm and all of YaST.
> 
> Problem: zutils-1.6-lp150.1.2.x86_64 conflicts with gzip provided by
> gzip-1.9-lp150.2.16.x86_64
>  Solution 1: Following actions will be done:
>   deinstallation of gzip-1.9-lp150.2.16.x86_64
> [...]
>   deinstallation of dracut-044.1-lp150.13.6.x86_64
> [...]
>   deinstallation of zypper-1.14.5-lp150.1.1.x86_64
> [...]
>   deinstallation of lvm2-2.02.177-lp150.5.1.x86_64
> [...]
>   deinstallation of yast2-4.0.79-lp150.2.6.1.x86_64
> [...]
>   deinstallation of mdadm-4.0-lp150.7.1.x86_64
> 
> So this is pretty much not testable as a maintenance update. 
> 
> Regarding the package content:
> 
> These binaries are also provided by gzip:
> /usr/bin/zcat
> /usr/bin/zcmp
> /usr/bin/zdiff
> /usr/bin/zegrep
> /usr/bin/zfgrep
> /usr/bin/zgrep
> 
> These are unique to zlib:
> /usr/bin/ztest
> /usr/bin/zupdate
> 
> For Factory, is this not a case for update-alternatives?
> 
> The package is a leaf in Factory for building, and no package appears to
> require it on Leap 15.0

First time I hear about this. Wasn't some automated test supposed to detect collisions?

> Finally:
> (In reply to Swamp Workflow Management from comment #4)
> > This is an autogenerated message for OBS integration:
> > https://build.opensuse.org/request/show/630793 15.0+42.3 / zutils
> 
> This contains more than the security fix. Is that required and if so what is
> the rationale? Just collect all upstream fixes?

The patch doesn't apply to 1.4 on 42.3 and being a security matter I wasn't confident in modifying it. So, 42.3 would have ended up with 1.7 and 15.0 with 1.6. It didn't seem proper.

What's the praxis in a case like this?
Comment 7 Andreas Stieger 2018-08-21 21:50:54 UTC 
(In reply to Luigi Baldoni from comment #6)
> First time I hear about this. Wasn't some automated test supposed to detect
> collisions?

The file conflicts were found and correctly expressed as package conflicts. Beyond that, no OpenQA scenario seems to be using zutils. Of course the Maintenance OpenQA test try to install all updated packages, and would fail for this submitted update because the package was never really usable, in the sense that it conflicts with gzip and gzip is used by everything - explicitly.

So this is a shared packaging bug between gzip and zutils, e.g. not being able to replace one another, and the whole distribution referencing gzip by explicit name. 

We can do the update nevertheless, just the OpenQA test will fail due to the above and we would need to override.

> The patch doesn't apply to 1.4 on 42.3 and being a security matter I wasn't
> confident in modifying it. So, 42.3 would have ended up with 1.7 and 15.0
> with 1.6. It didn't seem proper.
> 
> What's the praxis in a case like this?

We usually try backports first, then if the backport is not feasible or desirable do conservative version updates. Yes we would do it to the same version, for reasons you pointed out. This being a CLI it would actually work as there are no other dependencies.

So thanks for the clarification. I believe we can go ahead. If you want you can consider cases of parallel installation (update-alternatives) for Factory.
Comment 8 Swamp Workflow Management 2018-09-03 13:09:26 UTC 
openSUSE-SU-2018:2591-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1103878
CVE References: CVE-2018-1000637
Sources used:
openSUSE Leap 42.3 (src):    zutils-1.7-4.3.1
openSUSE Leap 15.0 (src):    zutils-1.7-lp150.2.3.1
Comment 9 Marcus Meissner 2018-09-07 11:28:34 UTC 
released