Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572418 (CVE-2016-1925) - app-arch/lha: Buffer Overflow in lha compression utility
Summary: app-arch/lha: Buffer Overflow in lha compression utility
Status: IN_PROGRESS
Alias: CVE-2016-1925
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [ebuild+ cve]
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2016-01-20 08:43 UTC by Agostino Sarubbo
Modified: 2019-10-22 10:10 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
lha-114i-fix-CVE-2016-1925.patch (lha-114i-fix-CVE-2016-1925.patch,2.24 KB, patch)
2017-01-13 15:51 UTC, Paolo Pedroni
no flags Details | Diff
app-arch/lha-114i_p20190124.ebuild (lha-114i_p20190124.ebuild,1015 bytes, text/plain)
2019-09-22 04:55 UTC, Jared B.
no flags Details
lha-114i-file-list-from-stdin.patch (lha-114i-file-list-from-stdin.patch,924 bytes, patch)
2019-09-22 04:57 UTC, Jared B.
no flags Details | Diff
app-arch/lha-114i_p20190124.ebuild (lha-114i_p20190124.ebuild,1.12 KB, text/plain)
2019-09-22 07:25 UTC, Jared B.
no flags Details
app-arch/lha-114i_p20190124.ebuild (lha-114i_p20190124.ebuild,1.03 KB, text/plain)
2019-09-24 00:46 UTC, Jared B.
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-20 08:43:26 UTC
From ${URL} :

== Overview ==
LHA for UNIX (https://osdn.jp/projects/lha/) is an open source
implementation of the LHA compression utility and associated file format.

== Version ==
All tests were performed using the latest 20b6ba8 commit of the master
branch from https://osdn.jp/projects/lha/scm/git/lha/

== Details ==
Using the afl fuzzer, two cases which triggered a buffer overflow where
discovered. The problem existed in header.c:797-800 and header.c:913-916
while parsing level0 and level1 headers accordingly.

=797-800=

    hdr->header_size = header_size = get_byte();
    checksum = get_byte();

    if (fread(data + COMMON_HEADER_SIZE,
              header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) {
        error("Invalid header (LHarc file ?)");
        return FALSE;   /* finish */
    }

=913-916=

    hdr->header_size = header_size = get_byte();
    checksum = get_byte();

    if (fread(data + COMMON_HEADER_SIZE,
              header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) {
        error("Invalid header (LHarc file ?)");
        return FALSE;   /* finish */
    }


The header_size variable is determined from the first byte of the lha
archive header, which is read by the get_byte function. The returned
value is used in:

header_size + 2 - COMMON_HEADER_SIZE

to determine the elements' size used in fread() .

If the header_size is less than abs(2 - COMMON_HEADER_SIZE) = abs(2 -
21) = 19 then the size parameter is overflowed and a buffer overflow
occurs in fread.

== Timeline ==
2016-01-13 - Bug report submitted
2016-01-16 - Bug fix pushed to master (commit bf2471f)



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-22 12:52:25 UTC
@ Maintainer(s): Please consider doing a snapshot release or at least cherry-pick https://de.osdn.net/projects/lha/scm/git/lha/commits/bf2471f to address this vulnerability.
Comment 2 Paolo Pedroni 2017-01-13 15:51:05 UTC
Created attachment 459882 [details, diff]
lha-114i-fix-CVE-2016-1925.patch

This is the patch from upstream that fixes the bug.
Comment 3 Paolo Pedroni 2017-01-13 16:00:28 UTC
Scratch that, it fails. I'll work some more on it.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-20 17:10:32 UTC
@Maintainers ping.

Fix is already in master branch on git's repo, you may want to use it since there are no tags nor versions in the repository and the official web page says to use the repo because of vulnerabilities in the last release.

Thank you.

Gentoo Security Padawan
ChrisADR
Comment 5 Jared B. 2019-09-22 04:54:52 UTC
Hello.  Apologies for the extreme tardiness on this, but at Michał's prompting in bug 633010 I realized this was still pending and wanted to take a crack at it.

I thought it made the most sense to do a full snapshot rather than backporting the specific patch in question as there's been a number of newer commits and bugfixes.  That being said, I'm not sure how that's typically handled by Gentoo devs, so if my approach below is wrong I'd appreciate some guidance and I'll happily update as suggested.

I cloned the repo from the last commit and created a snapshot available here:
https://www.legroom.net/public/lha-114i_p20190124.txz

I used the following SRC_URI since there's no upstream-provided snapshot.
SRC_URI="mirror://gentoo/lha-114i_p20190124.txz"

Other differences, for reference:

* Both patches still seemed to apply, so I simply updated them

* The PROTOTYPES bits discussed in bug 423125 no longer seem to apply, so I removed those lines.

* The man page is (now?) in English, so I removed the line sending it to the Japanese directory.

Compiled and tested on amd64.  Seems to work as expected.

Feedback welcome.
Comment 6 Jared B. 2019-09-22 04:55:56 UTC
Created attachment 590626 [details]
app-arch/lha-114i_p20190124.ebuild
Comment 7 Jared B. 2019-09-22 04:57:09 UTC
Created attachment 590628 [details, diff]
lha-114i-file-list-from-stdin.patch

Note: the other patch (lha-114i-fix-getopt_long-declaration.patch) didn't need to be modified
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-22 06:20:06 UTC
If you're talking about the GitHub repo, you can just use the 'archive/' URL for a specific commit in SRC_URI.  Take their 'download ZIP' URI, replace .zip with .tar.gz, 'master' with commit ID and it will work.
Comment 9 Jared B. 2019-09-22 07:24:45 UTC
(In reply to Michał Górny from comment #8)
> Take their 'download ZIP' URI, replace
> .zip with .tar.gz, 'master' with commit ID and it will work.

Nice, I didn't realize you could download a specific commit like that via HTTP.  Thanks for the tip.  Attaching updated ebuild using that method.
Comment 10 Jared B. 2019-09-22 07:25:40 UTC
Created attachment 590630 [details]
app-arch/lha-114i_p20190124.ebuild
Comment 11 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-22 07:56:08 UTC
Comment on attachment 590630 [details]
app-arch/lha-114i_p20190124.ebuild

># Copyright 1999-2018 Gentoo Authors

Please update your calendar.

># Distributed under the terms of the GNU General Public License v2
>
>EAPI=7
>
>inherit autotools flag-o-matic
>
>MY_P="${P/_p*}"

Remove this, see below.

>MY_COMMIT="e73199781397156be57866688a18d522d43c78ef"
>
>DESCRIPTION="Utility for creating and opening lzh archives"
>HOMEPAGE="https://github.com/jca02266/lha https://lha.osdn.jp"
>SRC_URI="https://github.com/jca02266/lha/archive/${MY_COMMIT}.tar.gz -> ${P}.tar.gz"
>
>LICENSE="lha"
>SLOT="0"
>KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~m68k-mint"
>
>S="${WORKDIR}/${PN}-${MY_COMMIT}"
>
>PATCHES=(
>	"${FILESDIR}"/${MY_P}-file-list-from-stdin.patch
>	"${FILESDIR}"/${MY_P}-fix-getopt_long-declaration.patch

Just inline MY_P here.  There is no real relation between snapshot version and the filename of those patches (they would probably still apply if upstream changed version number).

Also, as a side request, could you consider submitting them to that GitHub repo?  It looks silly to still have to apply patches when we're apparently switching to a patched snapshot.

>)
>
>src_prepare() {
>	default
>
>	sed -e 's/^AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' \
>		-i configure.ac || die #467544

Likewise (submit upstream).

>
>	eautoreconf
>}
>
>src_configure() {
>#	append-cppflags -DPROTOTYPES #423125

This is no longer necessary?  Remove it then; flag-o-matic inherit too.

>
>	if [[ ${CHOST} == *-interix* ]]; then
>		export ac_cv_header_inttypes_h=no
>		export ac_cv_func_iconv=no
>	fi
>
>	econf

or 'default'.

>}
>
>src_install() {
>	emake \
>		DESTDIR="${D}" \
>		install

or 'default'?  ;-)

>
>	dodoc ChangeLog Hacking_of_LHa
>}
Comment 12 Jared B. 2019-09-24 00:46:04 UTC
Created attachment 590844 [details]
app-arch/lha-114i_p20190124.ebuild

Thank you for the additional suggestions.  Updated accordingly.

I also submitted an upstream bug report as suggested.  Took me a while to figure out the mingw32 patch, but I found an old (very old) discussion about it in bug 184911.  Upstream bug here if interested:

https://github.com/jca02266/lha/issues/15
Comment 13 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-25 11:08:43 UTC
(In reply to Jared B. from comment #12)
> Created attachment 590844 [details]
> app-arch/lha-114i_p20190124.ebuild
> 
> Thank you for the additional suggestions.  Updated accordingly.
> 

Please submit that as a 'git format-patch', with appropriate sign-off on copyright policy and a nice commit message.
Comment 14 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-10-22 10:10:03 UTC
Ping.