Tech Stack: libzip and PHP’s ZIP Extension
Date(s) Issued: Published: 03/30/2015; Last Modified: 04/15/2015
Criticality: CVSS v2 Score: 7.5 – HIGH
Overview: CVE-2015-2331 is an integer overflow vulnerability in the _zip_cdir_new function within zip_dirent.c of libzip versions 0.11.2 and earlier. This vulnerability also affects PHP’s ZIP extension in versions prior to 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7, which utilize libzip. An attacker can exploit this flaw by providing a specially crafted ZIP archive containing numerous entries, leading to a heap-based buffer overflow. Successful exploitation may result in a denial of service (application crash) or potentially allow arbitrary code execution.
Solution/Mitigation:
- Upgrade libzip:
- libzip Version: Upgrade to libzip version 0.11.3 or later, where this vulnerability has been addressed. Ensure that any applications statically linking libzip are recompiled against the updated library.
- Upgrade PHP:
- PHP Versions: Upgrade to PHP versions 5.4.39, 5.5.23, 5.6.7, or later, which include fixes for this vulnerability in the ZIP extension. Refer to the PHP ChangeLog for detailed information.
- Apply Patches:
- Source Code Patches: If upgrading is not immediately feasible, apply the patches provided by the respective maintainers:
- libzip: Patch Commit
- PHP: Patch Commit
- Source Code Patches: If upgrading is not immediately feasible, apply the patches provided by the respective maintainers:
- Distribution Updates:
- Operating System Packages: Ensure that your system’s package manager is used to update libzip and PHP to the latest patched versions provided by your distribution. For example, Debian has released DSA-3198 addressing this issue.
- Security Best Practices:
- Input Validation: Implement robust input validation to inspect and sanitize ZIP files before processing, reducing the risk of malformed archives causing issues.
- Least Privilege: Run applications with the minimal necessary privileges to limit the impact of potential exploitation.
- Regular Updates: Maintain a routine of applying security updates and patches to all software components to protect against known vulnerabilities.
Confirmation & Additional Information:
- Verification: After applying updates or patches, test the application by processing ZIP archives to ensure stability and verify that the vulnerability has been mitigated.
- Stay Informed: Monitor security advisories from software vendors and repositories to remain aware of any further updates or related vulnerabilities.
- Official Resources:
- National Vulnerability Database Entry: CVE-2015-2331
- Debian Security Tracker: CVE-2015-2331
- Ubuntu Security Notice: CVE-2015-2331
