[Secure-testing-team] Bug#863156: lrzip: CVE-2017-8842: divide-by-zero in bufRead::get

Salvatore Bonaccorso carnil at debian.org
Mon May 22 18:54:04 UTC 2017 

Source: lrzip
Version: 0.631-1
Severity: important
Tags: upstream security
Forwarded: https://github.com/ckolivas/lrzip/issues/66

Hi,

the following vulnerability was published for lrzip.

CVE-2017-8842[0]:
| The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in
| lrzip 0.631 allows remote attackers to cause a denial of service
| (divide-by-zero error and application crash) via a crafted archive.

ASAN_OPTIONS="detect_leaks=0" ./lrzip -t /root/poc/00228-lrzip-fpe-bufRead-get 
Decompressing...
ASAN:DEADLYSIGNAL
=================================================================
==14170==ERROR: AddressSanitizer: FPE on unknown address 0x000000459dca (pc 0x000000459dca bp 0x7f0defc37a90 sp 0x7f0defc37a70 T1)
    #0 0x459dc9 in bufRead::get() libzpaq/libzpaq.h:468
    #1 0x44de34 in libzpaq::Decompresser::findBlock(double*) libzpaq/libzpaq.cpp:1236
    #2 0x44e45b in libzpaq::decompress(libzpaq::Reader*, libzpaq::Writer*) libzpaq/libzpaq.cpp:1363
    #3 0x445c2c in zpaq_decompress libzpaq/libzpaq.h:538
    #4 0x428c2e in zpaq_decompress_buf stream.c:453
    #5 0x430e60 in ucompthread stream.c:1534
    #6 0x7f0e456a6493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
    #7 0x7f0e44b4c93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE libzpaq/libzpaq.h:468 in bufRead::get()
Thread T1 created by T0 here:
    #0 0x7f0e45f38f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #1 0x4267f8 in create_pthread stream.c:133
    #2 0x4325f0 in fill_buffer stream.c:1673
    #3 0x4333d5 in read_stream stream.c:1755
    #4 0x421d21 in read_u8 runzip.c:55
    #5 0x422983 in read_header runzip.c:144
    #6 0x423fd2 in runzip_chunk runzip.c:314
    #7 0x4244a8 in runzip_fd runzip.c:382
    #8 0x411378 in decompress_file lrzip.c:826
    #9 0x409b39 in main main.c:669
    #10 0x7f0e44a842b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

==14170==ABORTING

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8842
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8842
[1] https://github.com/ckolivas/lrzip/issues/66

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Secure-testing-team mailing list