Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572418 (CVE-2016-1925) - <app-arch/lha-114i_p20201004: Buffer Overflow in lha compression utility
Summary: <app-arch/lha-114i_p20201004: Buffer Overflow in lha compression utility
Status: RESOLVED FIXED
Alias: CVE-2016-1925
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa+ cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2016-01-20 08:43 UTC by Agostino Sarubbo
Modified: 2020-07-27 00:58 UTC (History)
4 users (show)

See Also:
Package list:
=app-arch/lha-114i_p20201004
Runtime testing required: ---
nattka: sanity-check+


Attachments
lha-114i-fix-CVE-2016-1925.patch (lha-114i-fix-CVE-2016-1925.patch,2.24 KB, patch)
2017-01-13 15:51 UTC, Paolo Pedroni
no flags Details | Diff
app-arch/lha-114i_p20190124.ebuild (lha-114i_p20190124.ebuild,1015 bytes, text/plain)
2019-09-22 04:55 UTC, Jared B.
no flags Details
lha-114i-file-list-from-stdin.patch (lha-114i-file-list-from-stdin.patch,924 bytes, patch)
2019-09-22 04:57 UTC, Jared B.
no flags Details | Diff
app-arch/lha-114i_p20190124.ebuild (lha-114i_p20190124.ebuild,1.12 KB, text/plain)
2019-09-22 07:25 UTC, Jared B.
no flags Details
app-arch/lha-114i_p20190124.ebuild (lha-114i_p20190124.ebuild,1.03 KB, text/plain)
2019-09-24 00:46 UTC, Jared B.
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-20 08:43:26 UTC
From ${URL} :

== Overview ==
LHA for UNIX (https://osdn.jp/projects/lha/) is an open source
implementation of the LHA compression utility and associated file format.

== Version ==
All tests were performed using the latest 20b6ba8 commit of the master
branch from https://osdn.jp/projects/lha/scm/git/lha/

== Details ==
Using the afl fuzzer, two cases which triggered a buffer overflow where
discovered. The problem existed in header.c:797-800 and header.c:913-916
while parsing level0 and level1 headers accordingly.

=797-800=

    hdr->header_size = header_size = get_byte();
    checksum = get_byte();

    if (fread(data + COMMON_HEADER_SIZE,
              header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) {
        error("Invalid header (LHarc file ?)");
        return FALSE;   /* finish */
    }

=913-916=

    hdr->header_size = header_size = get_byte();
    checksum = get_byte();

    if (fread(data + COMMON_HEADER_SIZE,
              header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) {
        error("Invalid header (LHarc file ?)");
        return FALSE;   /* finish */
    }


The header_size variable is determined from the first byte of the lha
archive header, which is read by the get_byte function. The returned
value is used in:

header_size + 2 - COMMON_HEADER_SIZE

to determine the elements' size used in fread() .

If the header_size is less than abs(2 - COMMON_HEADER_SIZE) = abs(2 -
21) = 19 then the size parameter is overflowed and a buffer overflow
occurs in fread.

== Timeline ==
2016-01-13 - Bug report submitted
2016-01-16 - Bug fix pushed to master (commit bf2471f)



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-22 12:52:25 UTC
@ Maintainer(s): Please consider doing a snapshot release or at least cherry-pick https://de.osdn.net/projects/lha/scm/git/lha/commits/bf2471f to address this vulnerability.
Comment 2 Paolo Pedroni 2017-01-13 15:51:05 UTC
Created attachment 459882 [details, diff]
lha-114i-fix-CVE-2016-1925.patch

This is the patch from upstream that fixes the bug.
Comment 3 Paolo Pedroni 2017-01-13 16:00:28 UTC
Scratch that, it fails. I'll work some more on it.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-20 17:10:32 UTC
@Maintainers ping.

Fix is already in master branch on git's repo, you may want to use it since there are no tags nor versions in the repository and the official web page says to use the repo because of vulnerabilities in the last release.

Thank you.

Gentoo Security Padawan
ChrisADR
Comment 5 Jared B. 2019-09-22 04:54:52 UTC
Hello.  Apologies for the extreme tardiness on this, but at Michał's prompting in bug 633010 I realized this was still pending and wanted to take a crack at it.

I thought it made the most sense to do a full snapshot rather than backporting the specific patch in question as there's been a number of newer commits and bugfixes.  That being said, I'm not sure how that's typically handled by Gentoo devs, so if my approach below is wrong I'd appreciate some guidance and I'll happily update as suggested.

I cloned the repo from the last commit and created a snapshot available here:
https://www.legroom.net/public/lha-114i_p20190124.txz

I used the following SRC_URI since there's no upstream-provided snapshot.
SRC_URI="mirror://gentoo/lha-114i_p20190124.txz"

Other differences, for reference:

* Both patches still seemed to apply, so I simply updated them

* The PROTOTYPES bits discussed in bug 423125 no longer seem to apply, so I removed those lines.

* The man page is (now?) in English, so I removed the line sending it to the Japanese directory.

Compiled and tested on amd64.  Seems to work as expected.

Feedback welcome.
Comment 6 Jared B. 2019-09-22 04:55:56 UTC
Created attachment 590626 [details]
app-arch/lha-114i_p20190124.ebuild
Comment 7 Jared B. 2019-09-22 04:57:09 UTC
Created attachment 590628 [details, diff]
lha-114i-file-list-from-stdin.patch

Note: the other patch (lha-114i-fix-getopt_long-declaration.patch) didn't need to be modified
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-22 06:20:06 UTC
If you're talking about the GitHub repo, you can just use the 'archive/' URL for a specific commit in SRC_URI.  Take their 'download ZIP' URI, replace .zip with .tar.gz, 'master' with commit ID and it will work.
Comment 9 Jared B. 2019-09-22 07:24:45 UTC
(In reply to Michał Górny from comment #8)
> Take their 'download ZIP' URI, replace
> .zip with .tar.gz, 'master' with commit ID and it will work.

Nice, I didn't realize you could download a specific commit like that via HTTP.  Thanks for the tip.  Attaching updated ebuild using that method.
Comment 10 Jared B. 2019-09-22 07:25:40 UTC
Created attachment 590630 [details]
app-arch/lha-114i_p20190124.ebuild
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-22 07:56:08 UTC
Comment on attachment 590630 [details]
app-arch/lha-114i_p20190124.ebuild

># Copyright 1999-2018 Gentoo Authors

Please update your calendar.

># Distributed under the terms of the GNU General Public License v2
>
>EAPI=7
>
>inherit autotools flag-o-matic
>
>MY_P="${P/_p*}"

Remove this, see below.

>MY_COMMIT="e73199781397156be57866688a18d522d43c78ef"
>
>DESCRIPTION="Utility for creating and opening lzh archives"
>HOMEPAGE="https://github.com/jca02266/lha https://lha.osdn.jp"
>SRC_URI="https://github.com/jca02266/lha/archive/${MY_COMMIT}.tar.gz -> ${P}.tar.gz"
>
>LICENSE="lha"
>SLOT="0"
>KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~m68k-mint"
>
>S="${WORKDIR}/${PN}-${MY_COMMIT}"
>
>PATCHES=(
>	"${FILESDIR}"/${MY_P}-file-list-from-stdin.patch
>	"${FILESDIR}"/${MY_P}-fix-getopt_long-declaration.patch

Just inline MY_P here.  There is no real relation between snapshot version and the filename of those patches (they would probably still apply if upstream changed version number).

Also, as a side request, could you consider submitting them to that GitHub repo?  It looks silly to still have to apply patches when we're apparently switching to a patched snapshot.

>)
>
>src_prepare() {
>	default
>
>	sed -e 's/^AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' \
>		-i configure.ac || die #467544

Likewise (submit upstream).

>
>	eautoreconf
>}
>
>src_configure() {
>#	append-cppflags -DPROTOTYPES #423125

This is no longer necessary?  Remove it then; flag-o-matic inherit too.

>
>	if [[ ${CHOST} == *-interix* ]]; then
>		export ac_cv_header_inttypes_h=no
>		export ac_cv_func_iconv=no
>	fi
>
>	econf

or 'default'.

>}
>
>src_install() {
>	emake \
>		DESTDIR="${D}" \
>		install

or 'default'?  ;-)

>
>	dodoc ChangeLog Hacking_of_LHa
>}
Comment 12 Jared B. 2019-09-24 00:46:04 UTC
Created attachment 590844 [details]
app-arch/lha-114i_p20190124.ebuild

Thank you for the additional suggestions.  Updated accordingly.

I also submitted an upstream bug report as suggested.  Took me a while to figure out the mingw32 patch, but I found an old (very old) discussion about it in bug 184911.  Upstream bug here if interested:

https://github.com/jca02266/lha/issues/15
Comment 13 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-25 11:08:43 UTC
(In reply to Jared B. from comment #12)
> Created attachment 590844 [details]
> app-arch/lha-114i_p20190124.ebuild
> 
> Thank you for the additional suggestions.  Updated accordingly.
> 

Please submit that as a 'git format-patch', with appropriate sign-off on copyright policy and a nice commit message.
Comment 14 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-10-22 10:10:03 UTC
Ping.
Comment 15 Sam James archtester gentoo-dev Security 2020-03-25 01:56:12 UTC
@maintainer(s), please create an appropriate ebuild, or if you have already (which may be the case here), please contact proxy maintainers team to get it reviewed.
Comment 16 Jared B. 2020-03-25 03:11:41 UTC
Hello.

I believe the ebuild itself is in an appropriate format, but I'm not sure how to submit a git format-patch as previously requested.  I'm not experienced with git outside of basic cloning and updating.

I hadn't replied initially because I planned to research the matter and develop those skills, but I haven't been able to devote the time and lost track of this.  Honestly, I'm not likely to find the time to sharpen those skills anytime soon due to other obligations, so I don't think I'm a good fit to be a proxy maintainer today.  My development experience is too dated.

I think it'd be better for someone else to take over maintenance of this and the couple other packages I (loosly) maintain: app-arch/unarj and media-gfx/iscan-plugin-gt-x820.  Is there anything in particular I should do to formally step down?

FYI, the LHA maintainer merged the following two patches after the last snapshot:
fix-config_headers.patch
fix-getopt_long-delaration.patch

If you an updated snapshot from commit 7c3cd95fdf0d2f9198bb779561724cd314bc39a6, you can drop the local patches.  It looks like he's also considering the stdin patch, but implemented slightly differently (using syntax similar to tar's -T option) due to concerns about potential unintended behavior.
Comment 17 Larry the Git Cow gentoo-dev 2020-06-13 02:07:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fd34b6c421e0e5a88e92c303d6e0a67fc90b33c

commit 5fd34b6c421e0e5a88e92c303d6e0a67fc90b33c
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-06-09 21:45:27 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-13 02:05:56 +0000

    app-arch/lha: Security bump
    
    Bug: https://bugs.gentoo.org/572418
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16155
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 app-arch/lha/Manifest                  |  1 +
 app-arch/lha/lha-114i_p20201004.ebuild | 41 ++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)
Comment 18 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-06-13 02:08:47 UTC
@maintainer(s), please call for stable when ready.
Comment 19 Joonas Niilola gentoo-dev 2020-06-17 18:59:03 UTC
(In reply to Jared B. from comment #16)
> fit to be a proxy maintainer today.  My development experience is too dated.
> 
> I think it'd be better for someone else to take over maintenance of this and
> the couple other packages I (loosly) maintain: app-arch/unarj and
> media-gfx/iscan-plugin-gt-x820.  Is there anything in particular I should do
> to formally step down?
> 

To prevent huge text wall in this bug, I sent you an e-mail. Please check your inbox.
For anyone else wondering, 
https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers/User_Guide#How_to_step_down_as_a_proxied_maintainer is a starting point.
Comment 20 Thomas Deutschmann gentoo-dev Security 2020-06-20 13:50:09 UTC
x86 stable
Comment 21 Agostino Sarubbo gentoo-dev 2020-06-21 16:59:08 UTC
arm stable
Comment 22 Agostino Sarubbo gentoo-dev 2020-06-21 17:04:06 UTC
ppc stable
Comment 23 Agostino Sarubbo gentoo-dev 2020-06-21 17:09:07 UTC
ppc64 stable
Comment 24 Agostino Sarubbo gentoo-dev 2020-06-21 17:11:55 UTC
s390 stable
Comment 25 Agostino Sarubbo gentoo-dev 2020-06-22 06:57:22 UTC
amd64 stable
Comment 26 Rolf Eike Beer 2020-06-22 18:37:22 UTC
hppa/sparc stable
Comment 27 Sam James archtester gentoo-dev Security 2020-06-22 20:41:56 UTC
@maintainer(s), please cleanup
Comment 28 Larry the Git Cow gentoo-dev 2020-07-16 01:06:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10d6772384ac8f19f6cdc3803ea2de7a380765eb

commit 10d6772384ac8f19f6cdc3803ea2de7a380765eb
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-16 00:27:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-16 01:01:33 +0000

    app-arch/lha: security cleanup
    
    Bug: https://bugs.gentoo.org/572418
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/lha/Manifest                              |  1 -
 .../lha-114i-fix-getopt_long-declaration.patch     | 11 -----
 app-arch/lha/lha-114i-r9.ebuild                    | 54 ----------------------
 3 files changed, 66 deletions(-)
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:58:26 UTC
This issue was resolved and addressed in
 GLSA 202007-42 at https://security.gentoo.org/glsa/202007-42
by GLSA coordinator Sam James (sam_c).