An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks. Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer "buf". There is no check whether the size of the block is bigger than size of the buffer "buf", which can result in a malformed block size which exceeds the mentioned "buf" size. This will cause a buffer overflow and subsequent heap corruption. References: http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
Created p7zip tracking bugs for this issue: Affects: fedora-all [bug 1335578] Affects: epel-all [bug 1335579]
p7zip-16.02-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
p7zip-16.02-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
p7zip-16.02-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
p7zip is not shipped in RHEL, only Fedora and EPEL. Closing since the patches have been applied there and no further products/components are affected
(In reply to Doran Moppert from comment #5) > Closing since the > patches have been applied there and no further products/components are > affected so it is fixed
p7zip-16.02-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.