Bug 1335577 (CVE-2016-2334) - CVE-2016-2334 p7zip: Heap-buffer-overflow vulnerability
Summary: CVE-2016-2334 p7zip: Heap-buffer-overflow vulnerability
Status: CLOSED ERRATA
Alias: CVE-2016-2334
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160511,repor...
Keywords: Security
Depends On: 1335578 1335579
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-12 14:35 UTC by Andrej Nemec
Modified: 2019-06-08 21:11 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-08-15 01:30:39 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-05-12 14:35:33 UTC
An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.

Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer "buf". There is no check whether the size of the block is bigger than size of the buffer "buf", which can result in a malformed block size which exceeds the mentioned "buf" size. This will cause a buffer overflow and subsequent heap corruption.

References:

http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

Comment 1 Andrej Nemec 2016-05-12 14:36:37 UTC
Created p7zip tracking bugs for this issue:

Affects: fedora-all [bug 1335578]
Affects: epel-all [bug 1335579]

Comment 2 Fedora Update System 2016-07-20 17:48:54 UTC
p7zip-16.02-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2016-08-01 18:53:49 UTC
p7zip-16.02-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-08-13 18:19:28 UTC
p7zip-16.02-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Doran Moppert 2016-08-15 01:30:11 UTC
p7zip is not shipped in RHEL, only Fedora and EPEL.  Closing since the patches have been applied there and no further products/components are affected

Comment 6 Sergio Monteiro Basto 2016-08-15 02:11:00 UTC
(In reply to Doran Moppert from comment #5)
> Closing since the
> patches have been applied there and no further products/components are
> affected

so it is fixed

Comment 7 Fedora Update System 2016-08-16 19:49:23 UTC
p7zip-16.02-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.