Hi,
\n
We have used Ionic.Zip.dll in our web application to Zip files before downloading. The assembly version of the dll is 1.8.4.27. The application is running in production. Recently our code has been scanned by veracode and identified various security issues. Some of the security issues are related to Ionic Zip dll. Can you please provide the justification on each of the security flaw identified. We need to submit a report providing justfication/resolution that in using Ionic Zip there is no security threat. Please find below table with the issues and description of the issues.
| \n Category \n | \n\n CWE Name \n | \n\n Description \n | \n\n Module \n | \n\n Scope \n | \n\n Function Prototype \n | \n
| \n Cryptographic Issues \n | \n\n Insufficient Entropy \n | \n\n Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand(). If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy. References: CWE (http://cwe.mitre.org/data/definitions/331.html) \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.SharedUtilities \n | \n\n char GetOneRandomChar(int) \n | \n
| \n Cryptographic Issues \n | \n\n Insufficient Entropy \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.SharedUtilities \n | \n\n string GenerateRandomStringImpl(int, int) \n | \n|
| \n Cryptographic Issues \n | \n\n Insufficient Entropy \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.ZipEntry \n | \n\n void _WriteSecurityMetadata(System.IO.Stream) \n | \n|
| \n Cryptographic Issues \n | \n\n Insufficient Entropy \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.WinZipAesCrypto \n | \n\n WinZipAesCrypto Generate(string, int) \n | \n|
| \n Directory Traversal \n | \n\n External Control of File Name or Path \n | \n\n This call to mscorlib_dll.System.IO.File.Open() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to Open() contains tainted data. The tainted data originated from an earlier call to ionic_zip_dll.Ionic.Zip.ZipFile.IsZipFile. Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. References: CWE (http://cwe.mitre.org/data/definitions/73.html) WASC (http://webappsec.pbworks.com/Path-Traversal) \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.ZipFile \n | \n\n bool IsZipFile(string, bool) \n | \n
| \n Directory Traversal \n | \n\n External Control of File Name or Path \n | \n\n This call to mscorlib_dll.System.IO.File.OpenRead() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to OpenRead() contains tainted data. The tainted data originated from earlier calls to ionic_zip_dll.Ionic.Zip.ZipFile.Read, ionic_zip_dll.Ionic.Zip.ZipFile.CheckZip, and ionic_zip_dll.Ionic.Zip.ZipFile.FixZipDirectory. Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. References: CWE (http://cwe.mitre.org/data/definitions/73.html) WASC (http://webappsec.pbworks.com/Path-Traversal) \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.ZipFile \n | \n\n System.IO.Stream get_ReadStream() \n | \n
| \n Directory Traversal \n | \n\n External Control of File Name or Path \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.ZipFile \n | \n\n System.IO.Stream get_WriteStream() \n | \n|
| \n Directory Traversal \n | \n\n External Control of File Name or Path \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.ZipFile \n | \n\n void RemoveTempFile() \n | \n|
| \n Directory Traversal \n | \n\n External Control of File Name or Path \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.ZipFile \n | \n\n void Save() \n | \n|
| \n Directory Traversal \n | \n\n External Control of File Name or Path \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.ZipFile \n | \n\n void Save() \n | \n|
| \n Directory Traversal \n | \n\n External Control of File Name or Path \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zip.ZipFile \n | \n\n void Save() \n | \n|
| \n Code Quality \n | \n\n Improper Resource Shutdown or Release \n | \n\n There are total of 9 instances. The program fails to release or incorrectly releases some variables, e.g. the variable ms, which was previously allocated by a call to mscorlib_dll.System.IO.MemoryStream.!newinit_0_0(). Ensure that all code paths properly release this resource. References: CWE (http://cwe.mitre.org/data/definitions/404.html) \n | \n\n Ionic.Zip.dll \n | \n\n ionic_zip_dll.Ionic.Zlib.DeflateStream \n | \n\n byte[] CompressBuffer(byte[]) \n | \n
Thanks for the help in advance.
\n\n
Regards, Vashist
", "PostedDate": "2011-11-24T02:03:59.217-08:00", "UserRole": null, "MarkedAsAnswerDate": null } ]