658008 – (CVE-2018-11496, CVE-2018-5650, CVE-2018-5747, CVE-2018-9058) <app-arch/lrzip-0.631_p20190619: multiple vulnerabilities

Bug 658008 (CVE-2018-11496, CVE-2018-5650, CVE-2018-5747, CVE-2018-9058) - <app-arch/lrzip-0.631_p20190619: multiple vulnerabilities

Summary: <app-arch/lrzip-0.631_p20190619: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2018-11496, CVE-2018-5650, CVE-2018-5747, CVE-2018-9058

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/ckolivas/lrzip/iss...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-06-12 20:56 UTC by Florian Schuhmacher
Modified:	2020-04-18 10:24 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2017-9928, CVE-2017-9929
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Schuhmacher 2018-06-12 20:56:13 UTC

In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation. 

Checked the source code the vuln seems to affect these versions too:

0.621 (stable) 0.630 (testing)

Gentoo Security Scout
Florian Schuhmacher

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2019-08-10 16:47:04 UTC

CVE-2018-11496:

https://github.com/ckolivas/lrzip/issues/96

CVE-2018-5650:

https://github.com/ckolivas/lrzip/issues/88

CVE-2018-5747:

https://github.com/ckolivas/lrzip/issues/90

CVE-2018-9058:

https://github.com/ckolivas/lrzip/issues/93

All fixed in master.

Comment 2 Sam James archtester

2020-03-26 19:26:12 UTC

Tree is clean!

Comment 3 NATTkA bot gentoo-dev

2020-04-12 19:30:42 UTC

Unable to check for sanity:

> dependent bug #624462 is missing keywords

Comment 4 NATTkA bot gentoo-dev

2020-04-13 14:41:32 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 5 Yury German Gentoo Infrastructure

2020-04-16 06:52:32 UTC

GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].