Bug 1335575 (CVE-2016-2335)

Summary: CVE-2016-2335 p7zip: Out-of-bounds read vuilerability
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, karol.kozlowski, matthias, sergio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-15 02:11:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1335578, 1335579    
Bug Blocks:    

Description Andrej Nemec 2016-05-12 14:32:03 UTC 
An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.

Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the "PartitionRef" field from the Long Allocation Descriptor. Lack of checking whether the "PartitionRef" field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.

References:

http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
Comment 1 Andrej Nemec 2016-05-12 14:36:33 UTC 
Created p7zip tracking bugs for this issue:

Affects: fedora-all [bug 1335578]
Affects: epel-all [bug 1335579]
Comment 2 Fedora Update System 2016-07-20 17:48:49 UTC 
p7zip-16.02-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2016-08-01 18:53:43 UTC 
p7zip-16.02-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2016-08-13 18:19:22 UTC 
p7zip-16.02-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Sergio Basto 2016-08-15 02:11:40 UTC 
Closing since the patches have been applied
Comment 6 Fedora Update System 2016-08-16 19:49:18 UTC 
p7zip-16.02-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.