CVE-2015-1315 -- Info-ZIP unzip -- Out of bounds Write

0. Status
---------
20150217 - Final

1. Description
--------------
Info-ZIP "UnZip" is an extraction utility for archives compressed in ".zip"
format.

Out-of-bounds write can be triggered with a malformed zip file resulting in a
crash or arbitrary code execution.

The problem lies in the "unix/unix.c:charset_to_intern()" function which is
part of the 06-unzip60-alt-iconv-utf8 patch (Ubuntu reference [0]).

It can be triggered during string conversion from CP866 to UTF-8 for which the
destination buffer is not large enough.

From this point, eip/rip control is trivial.

Origin of the vulnerable code can be tracked to [1].
It appears that the overflow problem was already mentionned back in 2012 [2].

An updated iconv patch (received from Ubuntu) is available at [3].

2. Affected versions
--------------------
Reported on Ubuntu 14.04.1 LTS (amd64) with package unzip version 6.0-9ubuntu1.2 .

Vulnerable code is present in:
- Info-ZIP beta/development release version 6.10b:
    ftp://ftp.info-zip.org/pub/infozip/beta/unzip610b.zip
    file unzip610b/unix/unix.c

- Ubuntu Precise (12.04 LTS)
    http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-4ubuntu2.2.debian.tar.gz
    file debian/patches/04-unzip60-alt-iconv-utf8

- Ubuntu Trusty (14.04 LTS)
    http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-9ubuntu1.2.debian.tar.gz
    file debian/patches/06-unzip60-alt-iconv-utf8

- Ubuntu Utopic (14.10)
    http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-12ubuntu1.2.debian.tar.xz
    file debian/patches/20-unzip60-alt-iconv-utf8

- Ubuntu Vivid (15.04)
    http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-13ubuntu2.debian.tar.xz
    file debian/patches/20-unzip60-alt-iconv-utf8

- FreeBSD 10.1: archivers/unzip port
    file https://svnweb.freebsd.org/ports/head/archivers/unzip/files/extra-iconv-patch-unix_unix.c
    (Revision 364956)

- ALT Linux: http://sisyphus.ru/ru/srpm/Sisyphus/unzip
    file http://sisyphus.ru/ru/srpm/Sisyphus/unzip/patches/3

This issue does not affect the latest upstream release 6.0 (Release date
20090420).

3. References
-------------
[0] Ubuntu iconv patch:
    http://archive.ubuntu.com/ubuntu/pool/main/u/unzip/unzip_6.0-9ubuntu1.2.debian.tar.gz
        file debian/patches/06-unzip60-alt-iconv-utf8

[1] ALT Linux Bugzilla:
    https://bugzilla.altlinux.org/show_bug.cgi?id=4871

[2] Ubuntu Linux Bugzilla:
    https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/580961/comments/120

[3] Patch Proposal from Ubuntu:
    http://www.conostix.com/pub/adv/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch

4. Timeline
-----------
20150210 - Ubuntu contacted, CVE assigned, disclosure date defined
20150211 - FreeBSD & Upstream contacted
20150212 - Openwall distros mailing list notified
20150217 - Public disclosure

5. Credits
----------
William Robinet - Conostix S.A. - william.robinet-unzip [AT] conostix.com
american fuzzy lop - http://lcamtuf.coredump.cx/afl/