Source: lrzip Version: 0.631-1 Severity: important Tags: upstream security Forwarded: https://github.com/ckolivas/lrzip/issues/66
Hi, the following vulnerability was published for lrzip. CVE-2017-8842[0]: | The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in | lrzip 0.631 allows remote attackers to cause a denial of service | (divide-by-zero error and application crash) via a crafted archive. ASAN_OPTIONS="detect_leaks=0" ./lrzip -t /root/poc/00228-lrzip-fpe-bufRead-get Decompressing... ASAN:DEADLYSIGNAL ================================================================= ==14170==ERROR: AddressSanitizer: FPE on unknown address 0x000000459dca (pc 0x000000459dca bp 0x7f0defc37a90 sp 0x7f0defc37a70 T1) #0 0x459dc9 in bufRead::get() libzpaq/libzpaq.h:468 #1 0x44de34 in libzpaq::Decompresser::findBlock(double*) libzpaq/libzpaq.cpp:1236 #2 0x44e45b in libzpaq::decompress(libzpaq::Reader*, libzpaq::Writer*) libzpaq/libzpaq.cpp:1363 #3 0x445c2c in zpaq_decompress libzpaq/libzpaq.h:538 #4 0x428c2e in zpaq_decompress_buf stream.c:453 #5 0x430e60 in ucompthread stream.c:1534 #6 0x7f0e456a6493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) #7 0x7f0e44b4c93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE libzpaq/libzpaq.h:468 in bufRead::get() Thread T1 created by T0 here: #0 0x7f0e45f38f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59) #1 0x4267f8 in create_pthread stream.c:133 #2 0x4325f0 in fill_buffer stream.c:1673 #3 0x4333d5 in read_stream stream.c:1755 #4 0x421d21 in read_u8 runzip.c:55 #5 0x422983 in read_header runzip.c:144 #6 0x423fd2 in runzip_chunk runzip.c:314 #7 0x4244a8 in runzip_fd runzip.c:382 #8 0x411378 in decompress_file lrzip.c:826 #9 0x409b39 in main main.c:669 #10 0x7f0e44a842b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) ==14170==ABORTING If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8842 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8842 [1] https://github.com/ckolivas/lrzip/issues/66 Please adjust the affected versions in the BTS as needed. Regards, Salvatore