Bug 682270 (CVE-2019-10654)

Summary:	app-arch/lrzip: invalid memory read in lzo1x_decompress
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	ajak, gentoo.qxrin, maintainer-needed
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/ckolivas/lrzip/issues/108
Whiteboard:	B3 [upstream cve]
Package list:		Runtime testing required:	---

Description D'juan McDonald (domhnall) 2019-04-01 18:37:47 UTC

(https://nvd.nist.gov/vuln/detail/CVE-2019-10654):
The lzo1x_decompress function in liblzo2.so.2 in LZO 2.10, as used in Long Range Zip (aka lrzip) 0.631, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive, a different vulnerability than CVE-2017-8845.


Gentoo Security Padawan
(domhnall)

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2019-08-10 16:48:55 UTC

looks to be an imcomplete fix:

https://github.com/ckolivas/lrzip/issues/108

Comment 2 John Helmert III archtester

2021-01-23 06:10:26 UTC

Maintainer suggests using a PR:

https://github.com/ckolivas/lrzip/issues/108#issuecomment-584319910

This PR is closed and its functionality is said to be implemented in another PR, without linking it. I can't find such a PR and I can't see the commit in master.

I have no idea if this bug was fixed elsewhere as I couldn't reproduce it but there appears to be more security fixes in the commit log so it would be prudent to add another snapshot.

Comment 3 John Helmert III archtester

2021-06-29 23:50:58 UTC

(In reply to John Helmert III from comment #2)
> Maintainer suggests using a PR:
> 
> https://github.com/ckolivas/lrzip/issues/108#issuecomment-584319910

Oops, that might not be the maintainer. They seem to maintain a fork that they recommend:

https://github.com/ckolivas/lrzip/pull/140#issuecomment-869879318
https://github.com/pete4abw/lrzip-next