The vulnerability has been assigned the CVE identifier CVE-2017-15943. As a precautionary measure, we recommend updating to the latest version as soon as possible. You can update to the latest version by including the following command in your application’s gradle file:
1 updateZIP4J_VERSION = '2.10.0'
ZIP4J can be used to extract files from compressed archives without decompression, which is a common task when handling compressed files with custom compression or when performing extract and load operations on archives with known vulnerabilities. When parsing a specially crafted ZIP file, ZIP4J can suffer from an infinite loop, which could result in an application crash. This can be done by uploading a ZIP file that contains an infinite number of directories, or by uploading a file that contains a non-zero length field followed by an infinite number of directories. The following sample ZIP file can be used to cause an application crash:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 /** * This is a test ZIP file. * * Create a ZIP file that is 1M in length with a non-zero
How to trigger the vulnerability value followed by an infinite number of directories. * */ public class SampleZipFile { /** The length of the ZIP file in byte */ public static final int FILE_SIZE = 1 ; /** The ZIP file's name */ public static final String FILENAME = "test.zip" ; /** A value followed by an infinite number of directories */ private static final byte [] DIRECTORIES = new byte [ 0 ] . getBytes ( FILE_SIZE ) . toArray ( new byte [ FILE_SIZE ] ) ; /** * Create a sample zip file that has a non-zero length * value followed by an infinite number of directories. * */ public static void main ( String [ ] args ) { try { File zipFile = new File ( "1M-sample.zip" ) ; Zip4j zip4j = new Zip4j ( zipFile. getPath ( ) , true , null , this . names ) ; log Info ( "Creating ZIP file with {} bytes." + FILENAME + " and {} directory entries." + DIRECTORIES. length ) ; //Create the first entry for the directories zip4j. createDirectoryEntry ( 0 , DIRECTORIES, null , null , this . names , false ) ; } catch ( IOException ioe ) { ioe. printStackTrace ( System . err ) ; } } /** * Extract all files from the ZIP file and write them to
the out directory on the local filesystem in a
Zipper File Header
File header of the sample ZIP file that is causing the infinite loop.
1 zii ppa : zii / zip4j - org / 2.10.0
2 zii ppa : zii / zip4j - org / 2.10.0-rc1
3 zii ppa : zii / zip4j - org / 2.10.0-rc2
4 zii ppa : zii / zip4j - org / 2.10.0-rc3
5 zii ppa : zii / zip4j - org / 2.10.0-rc4
6 zii ppa : zii / zip4j - org / 2.10.0-rc5
7 zip4j - org . license . installer . jar ( com . google . commons . codec . ZipArchiveUnzipper ) 8 com . google . commons . codec . ZipArchiveUnzipper 619 final class 9 { 10 static public final String getDescription () { 11 return "This is a test ZIP file." ; 12 } 13 static public final String getUri () { 14 return new URI("file:///path/to/my/ZIP/file"); 15 } 16 static public final String getCompressedSize () { 17 return new Long(1000000); 18 } 19 static public final int decodeByteArray (byte[] buffer, int
Create a ZIP file that is 1M in length with a non-zero length field followed by an infinite number of directories.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 file name = 'test.zip' length = 1000000 zeroes = 0 zipFileName = 'test.zip' zipFileVersion = '1.0' dataList . add ( new ZipEntry ( null , '*.*' )) dataList . add ( new ZipEntry ( null , '*.*' )) dataList . add ( new ZipEntry ( null, '*:*/.*/*.*')) dataList . add ( new ZipEntry ( null, "*" )) dataList . add ( new ZipEntry ( null, "*/:*" )) def x () : while True : try : fd = open( "/dev/null" ) except IOError as e: print e return for entry in dataList : entry . doFinalWrite () fd . close () x()
Zip file with an infinite number of directories
The following ZIP file can be used to cause an application crash:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 /** * This is a test ZIP file. * * Create a ZIP file that is 1M in length with a non-zero
"Growing your business? Make sure you’re doing SEO right and avoid the mistakes of the 5 most common mistakes!"
Timeline
Published on: 02/24/2022 15:15:00 UTC
Last modified on: 04/19/2022 04:03:00 UTC