Your message dated Wed, 31 May 2017 17:33:37 +0000 with message-id <[email protected]> and subject line Bug#861614: fixed in rzip 2.1-4.1 has caused the Debian Bug report #861614, regarding rzip: CVE-2017-8364 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 861614: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861614 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: rzip Version: 2.1-1 Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerability was published for rzip, filled with RC severity due to the heap overflow write, but no further investigation done so far. CVE-2017-8364[0]: | The read_buf function in stream.c in rzip 2.1 allows remote attackers | to cause a denial of service (heap-based buffer overflow and | application crash) or possibly have unspecified other impact via a | crafted archive. ~/rzip-2.1# ./rzip -k -f -d ~/poc/00277-rzip-heap-overflow-read_buf.rz Read of length -1325400064 failed - Bad address ================================================================= ==1219==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd1 at pc 0x7f4611df3965 bp 0x7fff8e6c3430 sp 0x7fff8e6c2be0 WRITE of size 187 at 0x60200000efd1 thread T0 #0 0x7f4611df3964 in read (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x48964) #1 0x55d535e8095f in read_buf stream.c:153 #2 0x55d535e8294a in fill_buffer stream.c:406 #3 0x55d535e8312b in read_stream stream.c:464 #4 0x55d535e7d99e in unzip_literal runzip.c:75 #5 0x55d535e7de6a in runzip_chunk runzip.c:156 #6 0x55d535e7e03b in runzip_fd runzip.c:184 #7 0x55d535e7ef11 in decompress_file main.c:180 #8 0x55d535e7ffa9 in main main.c:368 #9 0x7f461181d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #10 0x55d535e79609 in _start (/root/rzip-2.1/rzip+0x3609) 0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1) allocated by thread T0 here: #0 0x7f4611e6cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x55d535e82813 in fill_buffer stream.c:402 #2 0x55d535e8312b in read_stream stream.c:464 #3 0x55d535e7d99e in unzip_literal runzip.c:75 #4 0x55d535e7de6a in runzip_chunk runzip.c:156 #5 0x55d535e7e03b in runzip_fd runzip.c:184 #6 0x55d535e7ef11 in decompress_file main.c:180 #7 0x55d535e7ffa9 in main main.c:368 #8 0x7f461181d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x48964) in read Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fd 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1219==ABORTING ~/rzip-2.1# If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8364 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8364 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: rzip Source-Version: 2.1-4.1 We believe that the bug you reported is fixed in the latest version of rzip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emilio Pozuelo Monfort <[email protected]> (supplier of updated rzip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 26 May 2017 18:40:30 +0200 Source: rzip Binary: rzip Architecture: source Version: 2.1-4.1 Distribution: unstable Urgency: medium Maintainer: Daniele Adriana Goulart Lopes <[email protected]> Changed-By: Emilio Pozuelo Monfort <[email protected]> Description: rzip - compression program for large files Closes: 861614 Changes: rzip (2.1-4.1) unstable; urgency=medium . * Non-maintainer upload. * 80-CVE-2017-8364-fill-buffer.patch: fix heap buffer overflow write by allocating a properly sized buffer. Patch taken from openSUSE. (CVE-2017-8364). Closes: 861614. Checksums-Sha1: b217bfa8c002fb896c2c3da3c7c62c0b84a79f66 1708 rzip_2.1-4.1.dsc efeafc7a5bdd7daa0cea8d797ff21aa28bdfc8d9 46785 rzip_2.1.orig.tar.gz b4426bc7eb7ab20cb993fbdabf51f410e6d90d99 7804 rzip_2.1-4.1.debian.tar.xz bea469f5ed3324d84b9295b5fb4b38afb65e3ba4 5411 rzip_2.1-4.1_source.buildinfo Checksums-Sha256: 28e547c77305cad002a5f9faa1aeeedcdc205531e41399a04d7a037902608ba8 1708 rzip_2.1-4.1.dsc 4bb96f4d58ccf16749ed3f836957ce97dbcff3e3ee5fd50266229a48f89815b7 46785 rzip_2.1.orig.tar.gz abe883f526dd8c4fd9476eb277dd955ce865d97cf4477c349ba468a41df80bb5 7804 rzip_2.1-4.1.debian.tar.xz afc6030025c85b08e49bf91d49dfa835732c27581f30c1440bd4146a9911b4d1 5411 rzip_2.1-4.1_source.buildinfo Files: 46abd3128dd5dbfe6f25e37b37104a73 1708 utils optional rzip_2.1-4.1.dsc 0a3ba55085661647c12f2b014c51c406 46785 utils optional rzip_2.1.orig.tar.gz dda9483fdb976b5ec4e02dba73f446cc 7804 utils optional rzip_2.1-4.1.debian.tar.xz a4d6cbeb2cce1f5487e89327c7edfb2e 5411 utils optional rzip_2.1-4.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlkoXa0ACgkQnUbEiOQ2 gwIrQRAAqmNjn/quDs1fzLPqpqQW0DE+5e940x4mbNuXAHdqQdrdAp+1jb8zXqPC Xik2RY2/xVCeLG1tGyy4Vnn2toEHrpwYZhg8W6u+DmPAyTFkJbosOdXap7OOG9Qh TtN2FK4zSlIVRyJFq7EN2hMrpATj3k3PTk4eZtXwWB0yvp4Fdx5UbmSlxN8VN6hh NyIZOB/LX+YMMkv0rdsaLErDyazlrDDNiSPoX7KVy56sY9YSGw0QnvxahrcscUCY GmQOEVDsOBs0jHmr31hEY2nHtIhPKSdLgpB3I4SuAjHV8je65rXWZfPf2YTnZaSl thRrK6l8yy0km9+voPxKQHRDPyWxrj6e7HuHRJCetF4xsYpQvYjG5TtrN4ia7q0N 3rBlyeQk8B+lTfansGWsGX9VjQJ+hsDtGXYIb7kqSN3h9qUwK/bkdGtU6JPt3EMA LSfrM/ODM7HwOqKrIswqXTyTRD5xpKT8Q/muHzeqz3N90mKuCDVZGZxjFWXDBOA2 6vF9um3akMYkqM1Pyafe8Z6XHJg+26JEshKUBzMDih1jX94oAc8aaN7XCcYwBH7S yP5K+KNO0SP4VUi4582m/hg2DK5Ta2yVDpI8ePAxTW1y7ZbcrfU8gUZIZekStqLH xxeQWdGIZiOjZky93pMtc55fF9XefwAsyPa7EXdrdSLiv1ac8bo= =5b2x -----END PGP SIGNATURE-----
--- End Message ---
