[Secure-testing-team] Bug#863150: lrzip: CVE-2017-8846: use-after-free in read_stream (stream.c)
Salvatore Bonaccorso
carnil at debian.org
Mon May 22 18:25:06 UTC 2017
Source: lrzip
Severity: important
Tags: security upstream
Forwarded: https://github.com/ckolivas/lrzip/issues/71
Hi,
the following vulnerability was published for lrzip.
CVE-2017-8846[0]:
| The read_stream function in stream.c in liblrzip.so in lrzip 0.631
| allows remote attackers to cause a denial of service (use-after-free
| and application crash) via a crafted archive.
I'm not 100% certain I can confirm the issue on lrzip. There looks
there is definitively a possible issue, but I was not able to follow
the full code, to confirm. Thus filling for this one just a but with
the respective upstream reference. We might need to wait for the
upstream patch to confirm.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8846
[1] https://github.com/ckolivas/lrzip/issues/71
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list