Executive Summary

This vulnerability exists in the zipdetails CLI tool shipped with IO::Compress versions from 2.207 before 2.220 for Perl. The tool crashes due to an undefined subroutine error when it encounters an Info-ZIP Unix Extra Field with an 8-byte UID or GID.

Specifically, when the decode_ux() function processes an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, it tries to decode an 8-byte UID or GID value by calling a helper function named unpackValueQ. However, the actual function defined is named unpackValue_Q (with an underscore), causing the call to fail and the script to exit with status 255.

This defect affects only the bundled CLI tool zipdetails; library callers of IO::Compress and IO::Uncompress are not impacted.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability causes the zipdetails CLI tool to crash when processing certain ZIP files containing an Info-ZIP Unix Extra Field with an 8-byte UID or GID. This results in the tool exiting unexpectedly with an error.

Since the issue is limited to the CLI tool and does not affect the underlying IO::Compress or IO::Uncompress libraries, the impact is primarily on users relying on the zipdetails tool for ZIP file inspection or analysis.

The crash could disrupt workflows or automated processes that depend on zipdetails, potentially causing denial of service or interruption in ZIP file handling.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects the zipdetails CLI tool bundled with IO::Compress versions from 2.207 before 2.220 for Perl. Detection involves identifying if the vulnerable version of zipdetails is present and if it crashes when processing Info-ZIP Unix Extra Fields with 8-byte UID or GID.

You can test the vulnerability by running the zipdetails tool on a crafted ZIP file containing an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8 bytes. If the tool crashes with an 'Undefined subroutine &main::unpackValueQ' error and exits with status 255, the vulnerability is present.

Since the issue is a crash due to a missing subroutine, a simple command to check the version of zipdetails can help identify if the tool is within the vulnerable range:

• zipdetails --version

To confirm the crash, you might run zipdetails on a ZIP file with the specific extra field, but creating such a file requires crafting a ZIP with the Info-ZIP Unix Extra Field containing 8-byte UID or GID, which is a specialized task.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to update the zipdetails CLI tool to a fixed version, specifically version 4.006 or later, which includes the patch correcting the typo in the unpackValueQ function and improves error handling.

If updating is not immediately possible, avoid processing ZIP files that contain Info-ZIP Unix Extra Fields with 8-byte UID or GID using the vulnerable zipdetails tool, as this triggers the crash.

Since the vulnerability is limited to the CLI tool and does not affect library callers of IO::Compress and IO::Uncompress, consider using the libraries directly if applicable.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability affects the zipdetails CLI tool in IO::Compress versions from 2.207 before 2.220 for Perl, causing it to crash when handling certain Info-ZIP Unix Extra Fields. However, the defect is limited to the CLI tool and does not affect library callers of IO::Compress and IO::Uncompress.

There is no information provided in the context or resources about any impact on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0