[Secure-testing-team] Bug#863145: lrzip: CVE-2017-8847: NULL pointer dereference in bufRead::get

Salvatore Bonaccorso carnil at debian.org
Mon May 22 17:08:47 UTC 2017 

Source: lrzip
Version: 0.631-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/ckolivas/lrzip/issues/67

Hi,

the following vulnerability was published for lrzip.

CVE-2017-8847[0]:
| The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in
| lrzip 0.631 allows remote attackers to cause a denial of service (NULL
| pointer dereference and application crash) via a crafted archive.

./lrzip -t /root/poc/00229-lrzip-nullptr-bufRead-get 
Decompressing...
Inconsistent length after decompression. Got 0 bytes, expected 2
ASAN:DEADLYSIGNAL
=================================================================
==15340==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000459ef1 bp 0x7f4bf3031a90 sp 0x7f4bf3031a70 T2)
    #0 0x459ef0 in bufRead::get() libzpaq/libzpaq.h:485
    #1 0x44de34 in libzpaq::Decompresser::findBlock(double*) libzpaq/libzpaq.cpp:1236
    #2 0x44e45b in libzpaq::decompress(libzpaq::Reader*, libzpaq::Writer*) libzpaq/libzpaq.cpp:1363
    #3 0x445c2c in zpaq_decompress libzpaq/libzpaq.h:538
    #4 0x428c2e in zpaq_decompress_buf stream.c:453
    #5 0x430e60 in ucompthread stream.c:1534
    #6 0x7f4c48e05493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
    #7 0x7f4c482ab93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libzpaq/libzpaq.h:485 in bufRead::get()
Thread T2 created by T0 here:
    #0 0x7f4c49697f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #1 0x4267f8 in create_pthread stream.c:133
    #2 0x4325f0 in fill_buffer stream.c:1673
    #3 0x4333d5 in read_stream stream.c:1755
    #4 0x422b76 in unzip_literal runzip.c:162
    #5 0x423ccb in runzip_chunk runzip.c:320
    #6 0x4244a8 in runzip_fd runzip.c:382
    #7 0x411378 in decompress_file lrzip.c:826
    #8 0x409b39 in main main.c:669
    #9 0x7f4c481e32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

==15340==ABORTING

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8847
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8847

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Secure-testing-team mailing list