Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 582832 (CVE-2016-2334, CVE-2016-2335) - <app-arch/p7zip-16.02-r1: multiple vulnerabilities (CVE-2016-{2334,2335})
Summary: <app-arch/p7zip-16.02-r1: multiple vulnerabilities (CVE-2016-{2334,2335})
Status: RESOLVED FIXED
Alias: CVE-2016-2334, CVE-2016-2335
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://blog.talosintel.com/2016/05/mu...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-12 13:29 UTC by Chí-Thanh Christopher Nguyễn
Modified: 2017-01-11 12:29 UTC (History)
3 users (show)

See Also:
Package list:
=app-arch/p7zip-16.02-r1
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chí-Thanh Christopher Nguyễn gentoo-dev 2016-05-12 13:29:40 UTC
Also reported in bug 582364 comment 1
Per ${URL}:

TALOS-CAN-0094, Out-of-Bounds Read Vulnerability, [CVE-2016-2335]

An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.

Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the "PartitionRef" field from the Long Allocation Descriptor. Lack of checking whether the "PartitionRef" field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.

TALOS-CAN-0093, Heap Overflow Vulnerability, [CVE-2016-2334]

An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.

Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer "buf". There is no check whether the size of the block is bigger than size of the buffer "buf", which can result in a malformed block size which exceeds the mentioned "buf" size. This will cause a buffer overflow and subsequent heap corruption.

Conclusion

Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-05-12 15:11:09 UTC
waiting on release so I can update, should be auto-notified when it is released.
Comment 2 Marius Brehler 2016-05-13 22:17:23 UTC
7-Zip 16.00 was released on May 10 [1] and is available for download [2].

[1] http://www.7-zip.org/history.txt
[2] http://www.7-zip.org/download.html
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-05-14 00:54:44 UTC
that's not p7zip though :(
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-05-17 18:12:52 UTC
so, not an issue?
Comment 6 Chí-Thanh Christopher Nguyễn gentoo-dev 2016-05-17 18:19:29 UTC
As far as I understand, it is not an issue for the 7za binary.
The discussion does not say anything about the other binaries.
Comment 7 Hanno Böck gentoo-dev 2016-07-14 13:19:37 UTC
p7zip 16.02 was released upstream, hopefully fixing these issues.
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-07-15 02:33:08 UTC
Ok, I've updated the package, 16.02 is now out.  Should we cc arches?
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-07-16 00:36:09 UTC
CVE-2016-2335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2335):
  The CInArchive::ReadFileItem method in Archive/Udf/UdfIn.cpp in 7zip 9.20
  and 15.05 beta and p7zip allows remote attackers to cause a denial of
  service (out-of-bounds read) or execute arbitrary code via the PartitionRef
  field in the Long Allocation Descriptor in a UDF file.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-07-16 01:03:21 UTC
Still trying to track that the vulnerabilities have been patched.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 01:32:22 UTC
Fixed version is in repository since https://gitweb.gentoo.org/repo/gentoo.git/commit/app-arch/p7zip?id=98be5eb1827845a1551e998392c603e692815ccc
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-11-19 04:45:41 UTC
@arches, please stabilize:

=app-arch/p7zip-16.02-r1
Comment 13 Agostino Sarubbo gentoo-dev 2016-11-19 13:53:56 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-11-19 13:56:16 UTC
x86 stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-12-19 14:35:53 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-12-19 15:13:04 UTC
ia64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-12-20 09:45:08 UTC
ppc stable
Comment 18 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-12-20 15:26:33 UTC
hppa and ppc64 remain, do we care about these arches, I forget if the last council meeting made a hard decision here.
Comment 19 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-12-20 15:27:12 UTC
oops, got this confused with the memcached cleanup :D
Comment 20 Agostino Sarubbo gentoo-dev 2016-12-22 09:35:17 UTC
ppc64 stable
Comment 21 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-09 14:12:52 UTC
Stable for HPPA.
Comment 22 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 17:10:40 UTC
New GLSA request filed.

@ Maintainer(s): Please cleanup <app-arch/p7zip-16.02-r1!
Comment 23 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-01-09 17:39:38 UTC
cleaned up, removing self from cc
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:29:08 UTC
This issue was resolved and addressed in
 GLSA 201701-27 at https://security.gentoo.org/glsa/201701-27
by GLSA coordinator Aaron Bauman (b-man).