Arch Linux Security Advisory ASA-201605-24 ========================================== Severity: Critical Date : 2016-05-18 CVE-ID : CVE-2016-2334 CVE-2016-2335 Package : p7zip Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package p7zip before version 15.14.1-2 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 15.14.1-2. # pacman -Syu "p7zip>=15.14.1-2" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2016-2334 (arbitrary code execution) An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution. Before decompression, ExtractZlibFile method read block size and its offset from file and after that read block data into static size buffer "buf". Because there is no check whether size of block is bigger than size of "buf", malformed size of block exceeding mentioned "buf" size will cause buffer overflow and heap corruption. - CVE-2016-2335 (arbitrary code execution) An out of bound read vulnerability exists in the CInArchive::ReadFileItem method functionality of 7zip for handling UDF files that can lead to denial of service or code execution. Because volumes can have more than one partition map their objects are keep in object vector. To start looking for item, method tries to achieve proper partition object using to this mentioned partition maps object vector and "PartitionRef" field from Long Allocation Descriptor. Lack of checking whether "PartitionRef" field is bigger than available amount of partition map objects cause read out of bounds and can lead in some circumstances to arbitrary code execution. Impact ====== A remote attacker is able to use a specially crafted archive that, when processed, is leading to arbitrary code execution. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2334 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2335 http://www.talosintel.com/reports/TALOS-2016-0093/ http://www.talosintel.com/reports/TALOS-2016-0094/