Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 617930 (CVE-2017-8842, CVE-2017-8843, CVE-2017-8844, CVE-2017-8845, CVE-2017-8846, CVE-2017-8847) - <app-arch/lrzip-0.631_p20190619: Multiple Vulnearbilities
Summary: <app-arch/lrzip-0.631_p20190619: Multiple Vulnearbilities
Status: RESOLVED FIXED
Alias: CVE-2017-8842, CVE-2017-8843, CVE-2017-8844, CVE-2017-8845, CVE-2017-8846, CVE-2017-8847
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-09 07:07 UTC by Yury German
Modified: 2022-12-10 01:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 07:07:25 UTC
.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-05-09 07:07:55 UTC
CVE-2017-8847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8847):
  The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip
  0.631 allows remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) via a crafted archive.

CVE-2017-8846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8846):
  The read_stream function in stream.c in liblrzip.so in lrzip 0.631 allows
  remote attackers to cause a denial of service (use-after-free and
  application crash) via a crafted archive.

CVE-2017-8845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8845):
  The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lrzip
  0.631, allows remote attackers to cause a denial of service (invalid memory
  read and application crash) via a crafted archive.

CVE-2017-8844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8844):
  The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows remote
  attackers to cause a denial of service (heap-based buffer overflow and
  application crash) or possibly have unspecified other impact via a crafted
  archive.

CVE-2017-8843 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8843):
  The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  application crash) via a crafted archive.

CVE-2017-8842 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8842):
  The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip
  0.631 allows remote attackers to cause a denial of service (divide-by-zero
  error and application crash) via a crafted archive.
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-18 11:35:05 UTC
These issues does not require a special config or env, so this is B, and this is 2 because of the write issue.
Comment 4 Michael Boyle 2018-05-21 03:14:39 UTC
Upstream has the relevant fixes in place and we are awaiting for their new release.

Michael Boyle
Gentoo Security Padawan
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 23:39:41 UTC
Dropping CVE-2017-8847 which has an unknown status.
Comment 6 NATTkA bot gentoo-dev 2020-04-12 19:31:44 UTC
Unable to check for sanity:

> dependent bug #624462 is missing keywords
Comment 7 NATTkA bot gentoo-dev 2020-04-13 14:41:56 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-05-12 23:31:32 UTC
This issue was resolved and addressed in
 GLSA 202005-01 at https://security.gentoo.org/glsa/202005-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-10 01:59:08 UTC
(In reply to Thomas Deutschmann (RETIRED) from comment #5)
> Dropping CVE-2017-8847 which has an unknown status.

But CVE-2017-8847 seems to have made it into the GLSA anyway, so keeping it in the bug.