| Summary: | <app-arch/lrzip-0.631_p20190619: Multiple Vulnearbilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Yury German <blueknight> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | maintainer-needed |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=624462 | ||
| Whiteboard: | B2 [glsa+ cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Yury German
2017-05-09 07:07:25 UTC
CVE-2017-8847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8847): The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive. CVE-2017-8846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8846): The read_stream function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted archive. CVE-2017-8845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8845): The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lrzip 0.631, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive. CVE-2017-8844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8844): The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted archive. CVE-2017-8843 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8843): The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive. CVE-2017-8842 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8842): The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted archive. documented here: https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bufreadget-libzpaq-h/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/ These issues does not require a special config or env, so this is B, and this is 2 because of the write issue. Upstream has the relevant fixes in place and we are awaiting for their new release. Michael Boyle Gentoo Security Padawan Dropping CVE-2017-8847 which has an unknown status. Unable to check for sanity:
> dependent bug #624462 is missing keywords
Resetting sanity check; package list is empty or all packages are done. This issue was resolved and addressed in GLSA 202005-01 at https://security.gentoo.org/glsa/202005-01 by GLSA coordinator Thomas Deutschmann (whissi). (In reply to Thomas Deutschmann (RETIRED) from comment #5) > Dropping CVE-2017-8847 which has an unknown status. But CVE-2017-8847 seems to have made it into the GLSA anyway, so keeping it in the bug. |
