[arch-security] [ASA-201605-24] p7zip: arbitrary code execution
anthraxx at archlinux.org
Wed May 18 16:01:58 UTC 2016
Arch Linux Security Advisory ASA-201605-24
Date : 2016-05-18
CVE-ID : CVE-2016-2334 CVE-2016-2335
Package : p7zip
Type : arbitrary code execution
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package p7zip before version 15.14.1-2 is vulnerable to arbitrary
Upgrade to 15.14.1-2.
# pacman -Syu "p7zip>=15.14.1-2"
The problems have been fixed upstream but no release is available yet.
- CVE-2016-2334 (arbitrary code execution)
An exploitable heap overflow vulnerability exists in the
NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip
that can lead to arbitrary code execution.
Before decompression, ExtractZlibFile method read block size and its
offset from file and after that read block data into static size buffer
"buf". Because there is no check whether size of block is bigger than
size of "buf", malformed size of block exceeding mentioned "buf" size
will cause buffer overflow and heap corruption.
- CVE-2016-2335 (arbitrary code execution)
An out of bound read vulnerability exists in the
CInArchive::ReadFileItem method functionality of 7zip for handling UDF
files that can lead to denial of service or code execution.
Because volumes can have more than one partition map their objects are
keep in object vector. To start looking for item, method tries to
achieve proper partition object using to this mentioned partition maps
object vector and "PartitionRef" field from Long Allocation Descriptor.
Lack of checking whether "PartitionRef" field is bigger than available
amount of partition map objects cause read out of bounds and can lead
in some circumstances to arbitrary code execution.
A remote attacker is able to use a specially crafted archive that, when
processed, is leading to arbitrary code execution.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security