Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 856055 (CVE-2021-33451, CVE-2021-33453, CVE-2022-33067)

Summary: app-arch/lrzip: DoS via invalid arithmetic shifts
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: gentoo.qxrin, maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/ckolivas/lrzip/issues/224
Whiteboard: B3 [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-03 03:20:57 UTC 
CVE-2022-33067:

Lrzip v0.651 was discovered to contain multiple invalid arithmetic shifts via the functions get_magic in lrzip.c and Predictor::init in libzpaq/libzpaq.cpp. These vulnerabilities allow attackers to cause a Denial of Service via unspecified vectors.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-27 04:36:22 UTC 
CVE-2021-33451 (https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d):
https://github.com/ckolivas/lrzip/issues/198

An issue was discovered in lrzip version 0.641. There are memory leaks in fill_buffer() in stream.c.

CVE-2021-33453 (https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d):
https://github.com/ckolivas/lrzip/issues/199

An issue was discovered in lrzip version 0.641. There is a use-after-free in ucompthread() in stream.c:1538.

Seems upstream can't reproduce..