Bug 1335577 (CVE-2016-2334)

Summary: CVE-2016-2334 p7zip: Heap-buffer-overflow vulnerability
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, karol.kozlowski, matthias, sergio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-15 01:30:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1335578, 1335579    
Bug Blocks:    

Description Andrej Nemec 2016-05-12 14:35:33 UTC 
An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.

Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer "buf". There is no check whether the size of the block is bigger than size of the buffer "buf", which can result in a malformed block size which exceeds the mentioned "buf" size. This will cause a buffer overflow and subsequent heap corruption.

References:

http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
Comment 1 Andrej Nemec 2016-05-12 14:36:37 UTC 
Created p7zip tracking bugs for this issue:

Affects: fedora-all [bug 1335578]
Affects: epel-all [bug 1335579]
Comment 2 Fedora Update System 2016-07-20 17:48:54 UTC 
p7zip-16.02-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2016-08-01 18:53:49 UTC 
p7zip-16.02-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2016-08-13 18:19:28 UTC 
p7zip-16.02-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Doran Moppert 2016-08-15 01:30:11 UTC 
p7zip is not shipped in RHEL, only Fedora and EPEL.  Closing since the patches have been applied there and no further products/components are affected
Comment 6 Sergio Basto 2016-08-15 02:11:00 UTC 
(In reply to Doran Moppert from comment #5)
> Closing since the
> patches have been applied there and no further products/components are
> affected

so it is fixed
Comment 7 Fedora Update System 2016-08-16 19:49:23 UTC 
p7zip-16.02-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.