Source: rzip
Version: 2.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for rzip, filled with RC
severity due to the heap overflow write, but no further investigation
done so far.
CVE-2017-8364[0]:
| The read_buf function in stream.c in rzip 2.1 allows remote attackers
| to cause a denial of service (heap-based buffer overflow and
| application crash) or possibly have unspecified other impact via a
| crafted archive.
~/rzip-2.1# ./rzip -k -f -d ~/poc/00277-rzip-heap-overflow-read_buf.rz
Read of length -1325400064 failed - Bad address
=================================================================
==1219==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd1
at pc 0x7f4611df3965 bp 0x7fff8e6c3430 sp 0x7fff8e6c2be0
WRITE of size 187 at 0x60200000efd1 thread T0
#0 0x7f4611df3964 in read (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x48964)
#1 0x55d535e8095f in read_buf stream.c:153
#2 0x55d535e8294a in fill_buffer stream.c:406
#3 0x55d535e8312b in read_stream stream.c:464
#4 0x55d535e7d99e in unzip_literal runzip.c:75
#5 0x55d535e7de6a in runzip_chunk runzip.c:156
#6 0x55d535e7e03b in runzip_fd runzip.c:184
#7 0x55d535e7ef11 in decompress_file main.c:180
#8 0x55d535e7ffa9 in main main.c:368
#9 0x7f461181d2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#10 0x55d535e79609 in _start (/root/rzip-2.1/rzip+0x3609)
0x60200000efd1 is located 0 bytes to the right of 1-byte region
[0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
#0 0x7f4611e6cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55d535e82813 in fill_buffer stream.c:402
#2 0x55d535e8312b in read_stream stream.c:464
#3 0x55d535e7d99e in unzip_literal runzip.c:75
#4 0x55d535e7de6a in runzip_chunk runzip.c:156
#5 0x55d535e7e03b in runzip_fd runzip.c:184
#6 0x55d535e7ef11 in decompress_file main.c:180
#7 0x55d535e7ffa9 in main main.c:368
#8 0x7f461181d2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x48964) in read
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fd
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1219==ABORTING
~/rzip-2.1#
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8364
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8364
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
