*** This bug is a security vulnerability *** Public security bug reported:
Out-of-bounds read during processing 7zip archive # Description During extraction of the attached 7zip archive via ``` /usr/libexec/p7zip/7za e -so -y /testcase ``` a out-of-bounds read is triggered and causes a segmentation fault (SIGSEGV). This bug allows an attacker to perform a denial of service and possibly opens up other attack vectors. To reproduce the crash, we provide scripts alongside the crashing input: - ./reproduce-ubuntu.sh: Reproduce crash via a Ubuntu 20.04 docker container If you need further details, we are happy to assist where possible. # apt show p7zip-full Package: p7zip-full Version: 16.02+dfsg-7build1 Priority: optional Section: universe/utils Source: p7zip Origin: Ubuntu Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> Original-Maintainer: Robert Luberda <rob...@debian.org> Bugs: https://bugs.launchpad.net/ubuntu/+filebug Installed-Size: 4887 kB Depends: p7zip (= 16.02+dfsg-7build1), libc6 (>= 2.14), libgcc-s1 (>= 3.0), libstdc++6 (>= 5) Suggests: p7zip-rar Breaks: p7zip (<< 15.09+dfsg-3~) Replaces: p7zip (<< 15.09+dfsg-3~) Homepage: http://p7zip.sourceforge.net/ Task: kubuntu-desktop, kubuntu-full, xubuntu-desktop, lubuntu-desktop, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop Download-Size: 1187 kB APT-Manual-Installed: no APT-Sources: http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages Description: 7z and 7za file archivers with high compression ratio # valgrind ubuntu [+] Running /usr/lib/p7zip/7z e -so -y /testcase ==1== Memcheck, a memory error detector ==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1== Command: /usr/lib/p7zip/7z e -so -y /testcase ==1== ==1== Invalid read of size 1 ==1== at 0x5282063: NArchive::NNsis::CInArchive::Parse() (NsisIn.cpp:5024) ==1== by 0x528234E: NArchive::NNsis::CInArchive::Open2(unsigned char const*, unsigned long) [clone .part.0] (NsisIn.cpp:5659) ==1== by 0x52829B2: Open2 (NsisIn.cpp:5537) ==1== by 0x52829B2: NArchive::NNsis::CInArchive::Open(IInStream*, unsigned long long const*) (NsisIn.cpp:5836) ==1== by 0x527DA8A: NArchive::NNsis::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) (NsisHandler.cpp:196) ==1== by 0x143291: OpenArchiveSpec(IInArchive*, bool, IInStream*, unsigned long long const*, IArchiveOpenCallback*, IArchiveExtractCallback*) (OpenArchive.cpp:1537) ==1== by 0x148B47: CArc::OpenStream2(COpenOptions const&) (OpenArchive.cpp:2636) ==1== by 0x149B9C: CArc::OpenStream(COpenOptions const&) (OpenArchive.cpp:2901) ==1== by 0x14A136: CArc::OpenStreamOrFile(COpenOptions&) (OpenArchive.cpp:2993) ==1== by 0x14B122: CArchiveLink::Open(COpenOptions&) (OpenArchive.cpp:3169) ==1== by 0x14C03C: CArchiveLink::Open2(COpenOptions&, IOpenCallbackUI*) (OpenArchive.cpp:3292) ==1== by 0x14C392: CArchiveLink::Open3(COpenOptions&, IOpenCallbackUI*) (OpenArchive.cpp:3356) ==1== by 0x13A94E: Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IHashCalc*, UString&, CDecompressStat&) (Extract.cpp:362) ==1== Address 0x104edf5fe is not stack'd, malloc'd or (recently) free'd ==1== ==1== ==1== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==1== Access not within mapped region at address 0x104EDF5FE ==1== at 0x5282063: NArchive::NNsis::CInArchive::Parse() (NsisIn.cpp:5024) ==1== by 0x528234E: NArchive::NNsis::CInArchive::Open2(unsigned char const*, unsigned long) [clone .part.0] (NsisIn.cpp:5659) ==1== by 0x52829B2: Open2 (NsisIn.cpp:5537) ==1== by 0x52829B2: NArchive::NNsis::CInArchive::Open(IInStream*, unsigned long long const*) (NsisIn.cpp:5836) ==1== by 0x527DA8A: NArchive::NNsis::CHandler::Open(IInStream*, unsigned long long const*, IArchiveOpenCallback*) (NsisHandler.cpp:196) ==1== by 0x143291: OpenArchiveSpec(IInArchive*, bool, IInStream*, unsigned long long const*, IArchiveOpenCallback*, IArchiveExtractCallback*) (OpenArchive.cpp:1537) ==1== by 0x148B47: CArc::OpenStream2(COpenOptions const&) (OpenArchive.cpp:2636) ==1== by 0x149B9C: CArc::OpenStream(COpenOptions const&) (OpenArchive.cpp:2901) ==1== by 0x14A136: CArc::OpenStreamOrFile(COpenOptions&) (OpenArchive.cpp:2993) ==1== by 0x14B122: CArchiveLink::Open(COpenOptions&) (OpenArchive.cpp:3169) ==1== by 0x14C03C: CArchiveLink::Open2(COpenOptions&, IOpenCallbackUI*) (OpenArchive.cpp:3292) ==1== by 0x14C392: CArchiveLink::Open3(COpenOptions&, IOpenCallbackUI*) (OpenArchive.cpp:3356) ==1== by 0x13A94E: Extract(CCodecs*, CObjectVector<COpenType> const&, CRecordVector<int> const&, CObjectVector<UString>&, CObjectVector<UString>&, NWildcard::CCensorNode const&, CExtractOptions const&, IOpenCallbackUI*, IExtractCallbackUI*, IHashCalc*, UString&, CDecompressStat&) (Extract.cpp:362) ==1== If you believe this happened as a result of a stack ==1== overflow in your program's main thread (unlikely but ==1== possible), you can try to increase the size of the ==1== main thread stack using the --main-stacksize= flag. ==1== The main thread stack size used in this run was 8388608. ==1== ==1== HEAP SUMMARY: ==1== in use at exit: 5,335,798 bytes in 843 blocks ==1== total heap usage: 3,648 allocs, 2,805 frees, 6,190,287 bytes allocated ==1== ==1== LEAK SUMMARY: ==1== definitely lost: 0 bytes in 0 blocks ==1== indirectly lost: 0 bytes in 0 blocks ==1== possibly lost: 0 bytes in 0 blocks ==1== still reachable: 5,335,798 bytes in 843 blocks ==1== of which reachable via heuristic: ==1== newarray : 1,256 bytes in 1 blocks ==1== suppressed: 0 bytes in 0 blocks ** Affects: p7zip (Ubuntu) Importance: Undecided Status: New ** Attachment added: "Crashing input and script for reproduction." https://bugs.launchpad.net/bugs/1962740/+attachment/5564996/+files/7zip_03.zip ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1962740 Title: Out-of-bounds read during processing 7zip archive To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/p7zip/+bug/1962740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
