.
CVE-2017-8847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8847): The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive. CVE-2017-8846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8846): The read_stream function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted archive. CVE-2017-8845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8845): The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lrzip 0.631, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive. CVE-2017-8844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8844): The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted archive. CVE-2017-8843 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8843): The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive. CVE-2017-8842 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8842): The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted archive.
documented here: https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bufreadget-libzpaq-h/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/ https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/
These issues does not require a special config or env, so this is B, and this is 2 because of the write issue.
Upstream has the relevant fixes in place and we are awaiting for their new release. Michael Boyle Gentoo Security Padawan
Dropping CVE-2017-8847 which has an unknown status.
Unable to check for sanity: > dependent bug #624462 is missing keywords
Resetting sanity check; package list is empty or all packages are done.
This issue was resolved and addressed in GLSA 202005-01 at https://security.gentoo.org/glsa/202005-01 by GLSA coordinator Thomas Deutschmann (whissi).
(In reply to Thomas Deutschmann (RETIRED) from comment #5) > Dropping CVE-2017-8847 which has an unknown status. But CVE-2017-8847 seems to have made it into the GLSA anyway, so keeping it in the bug.