Debian Bug report logs -
#863156
lrzip: CVE-2017-8842: divide-by-zero in bufRead::get
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#863156; Package src:lrzip.
(Mon, 22 May 2017 18:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 22 May 2017 18:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: lrzip
Version: 0.631-1
Severity: important
Tags: upstream security
Forwarded: https://github.com/ckolivas/lrzip/issues/66
Hi,
the following vulnerability was published for lrzip.
CVE-2017-8842[0]:
| The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in
| lrzip 0.631 allows remote attackers to cause a denial of service
| (divide-by-zero error and application crash) via a crafted archive.
ASAN_OPTIONS="detect_leaks=0" ./lrzip -t /root/poc/00228-lrzip-fpe-bufRead-get
Decompressing...
ASAN:DEADLYSIGNAL
=================================================================
==14170==ERROR: AddressSanitizer: FPE on unknown address 0x000000459dca (pc 0x000000459dca bp 0x7f0defc37a90 sp 0x7f0defc37a70 T1)
#0 0x459dc9 in bufRead::get() libzpaq/libzpaq.h:468
#1 0x44de34 in libzpaq::Decompresser::findBlock(double*) libzpaq/libzpaq.cpp:1236
#2 0x44e45b in libzpaq::decompress(libzpaq::Reader*, libzpaq::Writer*) libzpaq/libzpaq.cpp:1363
#3 0x445c2c in zpaq_decompress libzpaq/libzpaq.h:538
#4 0x428c2e in zpaq_decompress_buf stream.c:453
#5 0x430e60 in ucompthread stream.c:1534
#6 0x7f0e456a6493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#7 0x7f0e44b4c93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE libzpaq/libzpaq.h:468 in bufRead::get()
Thread T1 created by T0 here:
#0 0x7f0e45f38f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x4267f8 in create_pthread stream.c:133
#2 0x4325f0 in fill_buffer stream.c:1673
#3 0x4333d5 in read_stream stream.c:1755
#4 0x421d21 in read_u8 runzip.c:55
#5 0x422983 in read_header runzip.c:144
#6 0x423fd2 in runzip_chunk runzip.c:314
#7 0x4244a8 in runzip_fd runzip.c:382
#8 0x411378 in decompress_file lrzip.c:826
#9 0x409b39 in main main.c:669
#10 0x7f0e44a842b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
==14170==ABORTING
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8842
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8842
[1] https://github.com/ckolivas/lrzip/issues/66
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Thu, 17 May 2018 18:13:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 17 May 2018 18:13:13 GMT) (full text, mbox, link).
Message #10 received at 863156-close@bugs.debian.org (full text, mbox, reply):
Source: lrzip
Source-Version: 0.631+git180517-1
We believe that the bug you reported is fixed in the latest version of
lrzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863156@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated lrzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 17 May 2018 15:42:06 +0000
Source: lrzip
Binary: lrzip
Architecture: source amd64
Version: 0.631+git180517-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
lrzip - compression program with a very high compression ratio
Closes: 863145 863150 863151 863153 863155 863156 866020 866022 887065 888506 897645 898451
Changes:
lrzip (0.631+git180517-1) unstable; urgency=high
.
* Git snapshot release to fix security issues:
- CVE-2017-8842: divide-by-zero in bufRead::get() (closes: #863156),
- CVE-2017-8843: NULL pointer dereference in join_pthread()
(closes: #863155),
- CVE-2017-8844: heap-based buffer overflow write in read_1g()
(closes: #863153),
- CVE-2017-8845: invalid memory read in lzo_decompress_buf()
(closes: #863151),
- CVE-2017-8846: use-after-free in read_stream() (closes: #863150),
- CVE-2017-8847: NULL pointer dereference in bufRead::get()
(closes: #863145),
- CVE-2017-9928: stack buffer overflow in get_fileinfo() (closes: #866022),
- CVE-2017-9929: another stack buffer overflow in get_fileinfo()
(closes: #866020),
- CVE-2018-5650: infinite loop from crafted/corrupt archive in
unzip_match() (closes: #887065),
- CVE-2018-5747: use-after-free in ucompthread() (closes: #898451),
- CVE-2018-5786: infinite loop in get_fileinfo() (closes: #888506),
- CVE-2018-9058: infinite loop in runzip_fd() ,
- CVE-2018-10685: use-after-free in lzma_decompress_buf()
(closes: #897645).
* Update homepage location.
* Update debhelper level to 11:
- don't need dh_installman anymore,
- remove dh-autoreconf build dependency,
- remove autotools-dev build dependency.
* Update Standards-Version to 4.1.4 .
Checksums-Sha1:
55c93759cf16e87ae9d56738e982f07396de915c 1833 lrzip_0.631+git180517-1.dsc
49d52bb9edc1524469d618cbe867560c8d704060 200660 lrzip_0.631+git180517.orig.tar.xz
3fbd5121440aee6c9a26fe2e53c0a7e42f095781 7688 lrzip_0.631+git180517-1.debian.tar.xz
8ac6130b8ceea862a54b253ffc17ebfc79b0cdb2 606280 lrzip-dbgsym_0.631+git180517-1_amd64.deb
f79257b587a3fe3594f79400906d19018b352df5 6826 lrzip_0.631+git180517-1_amd64.buildinfo
c10d6d80eaba467bd8472a836ee192dae21edf17 258876 lrzip_0.631+git180517-1_amd64.deb
Checksums-Sha256:
18876a30fba64e3e5730a4ecf55687b762d50629a6c7dac52273cfb028b1ec3b 1833 lrzip_0.631+git180517-1.dsc
9e96b797efb4e908a2412c4e287fd42e766def638e8126cd306397d572a176ef 200660 lrzip_0.631+git180517.orig.tar.xz
176d38dd20bc9335562b1102d9c907f8bc33922ba07b9dada2461da73fc64c28 7688 lrzip_0.631+git180517-1.debian.tar.xz
e58240fcd0eef1f3f7738b35ac6c81722f0b805b1e7639100a42ba3b335bd174 606280 lrzip-dbgsym_0.631+git180517-1_amd64.deb
748dfdf17c6cc651a9a97116429615bf4fbc2449c41bac4b57ccd1ccf9c1453e 6826 lrzip_0.631+git180517-1_amd64.buildinfo
0cd786cf86077e91fba4fc4944ea987643bb98459fa9f76a73ff9c5fd09a146b 258876 lrzip_0.631+git180517-1_amd64.deb
Files:
e9c146c5bc64bebe67a2ae4599ffbf49 1833 utils optional lrzip_0.631+git180517-1.dsc
cd554ed96a3e4a4d02231df70879b842 200660 utils optional lrzip_0.631+git180517.orig.tar.xz
0e8c44a78604f83544d5f6a0ef79485a 7688 utils optional lrzip_0.631+git180517-1.debian.tar.xz
32e3570a65a39477911f384fedae8dc1 606280 debug optional lrzip-dbgsym_0.631+git180517-1_amd64.deb
4ed5c1db1b8ab0a27fa4b84ebbfe3aa8 6826 utils optional lrzip_0.631+git180517-1_amd64.buildinfo
04db0b66b329ea490835728f5244be53 258876 utils optional lrzip_0.631+git180517-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlr9wB8ACgkQ3OMQ54ZM
yL90exAAkBIFwgAn2LJ58/BKFZ5jhndecOTJFQhWJ4G+N/ucDsp7Kf6S9h4DyxFJ
EH5DHVFD07psF1ieGAieEvg58NpO6Nf7HAFFwtJdnoZ60p2LUe160Dum6sWdVTm7
gAxJdxoIXKVUy43wRbrMgGHfkq+QoS04VLrxEND+UW1i1Vkb6cOgZXhVbcMhPEfb
pFoWNJtRT3WdEcIOgx8YFh4uaeFXMdcEWnda/OD5JDF4Wu2se53PLRJ2zj7GNtVb
BNpPcyoTuOusxe965RNFzubIBrBchpJz8EtacdLt9lTZBY8VmKGnktR3ocIsLNIm
f6LqxYbyWlyMBJo/QkIZ/DiQLFxNGzk5O5SARGMd1CduqTzj3sQyyXbQJuoO5VTy
yxjBevSuCTx3LYJaE5H5zKvDhmfnDYioD1NGMho0SN3m3K8A1H/UjNhrgMmb44Ip
5buadpsgH4vZJ6RAe+uwuxjp9sj4/P9LLV+PY3xy1fregQPUxuOQVcdcEtzCJd4N
+PHyZxAQOnH11BUj8WaAyyRK4JtrlqLQwm1EkjVCOAc55Z0FzM6VxwBAo/IkYvt1
VOWz20STbPoDycahnygADU57KBdQEm+X3FkTS2LKKXJSd3j/go2zG274ihqjaFQJ
BNDnbJVx0UIrapmUHva7Dfu+WbCHScRRGWfGj0OtVG9dwKMGunw=
=HAH8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 29 Jun 2018 07:28:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:58:37 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon