Control: tags -1 patch
Hi,
On Mon, 01 May 2017 16:14:08 +0200 Salvatore Bonaccorso <[email protected]>
wrote:
> Source: rzip
> Version: 2.1-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> the following vulnerability was published for rzip, filled with RC
> severity due to the heap overflow write, but no further investigation
> done so far.
>
> CVE-2017-8364[0]:
> | The read_buf function in stream.c in rzip 2.1 allows remote attackers
> | to cause a denial of service (heap-based buffer overflow and
> | application crash) or possibly have unspecified other impact via a
> | crafted archive.
openSUSE applied the attached patch, taken from the openSUSE leap 42.2 package
[1].
Cheers,
Emilio
[1]
http://download.opensuse.org/repositories/openSUSE:/Leap:/42.2:/Update/standard/src/rzip-2.1-151.3.1.src.rpm
Index: rzip-2.1/stream.c
===================================================================
--- rzip-2.1.orig/stream.c
+++ rzip-2.1/stream.c
@@ -147,16 +147,16 @@ static int write_u32(int f, u32 v)
return 0;
}
-static int read_buf(int f, uchar *p, int len)
+static int read_buf(int f, uchar *p, unsigned int len)
{
int ret;
ret = read(f, p, len);
if (ret == -1) {
- err_msg("Read of length %d failed - %s\n", len, strerror(errno));
+ err_msg("Read of length %u failed - %s\n", len, strerror(errno));
return -1;
}
if (ret != len) {
- err_msg("Partial read!? asked for %d bytes but got %d\n", len, ret);
+ err_msg("Partial read!? asked for %u bytes but got %d\n", len, ret);
return -1;
}
return 0;
@@ -399,7 +399,7 @@ static int fill_buffer(struct stream_inf
if (sinfo->s[stream].buf) {
free(sinfo->s[stream].buf);
}
- sinfo->s[stream].buf = malloc(u_len);
+ sinfo->s[stream].buf = malloc(c_len > u_len ? c_len : u_len);
if (!sinfo->s[stream].buf) {
return -1;
}
