[arch-security] [ASA-201605-24] p7zip: arbitrary code execution

Levente Polyak anthraxx at archlinux.org
Wed May 18 16:01:58 UTC 2016 

Arch Linux Security Advisory ASA-201605-24
==========================================

Severity: Critical
Date    : 2016-05-18
CVE-ID  : CVE-2016-2334 CVE-2016-2335
Package : p7zip
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package p7zip before version 15.14.1-2 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 15.14.1-2.

# pacman -Syu "p7zip>=15.14.1-2"

The problems have been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

- CVE-2016-2334 (arbitrary code execution)

An exploitable heap overflow vulnerability exists in the
NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip
that can lead to arbitrary code execution.
Before decompression, ExtractZlibFile method read block size and its
offset from file and after that read block data into static size buffer
"buf". Because there is no check whether size of block is bigger than
size of "buf", malformed size of block exceeding mentioned "buf" size
will cause buffer overflow and heap corruption.

- CVE-2016-2335 (arbitrary code execution)

An out of bound read vulnerability exists in the
CInArchive::ReadFileItem method functionality of 7zip for handling UDF
files that can lead to denial of service or code execution.
Because volumes can have more than one partition map their objects are
keep in object vector. To start looking for item, method tries to
achieve proper partition object using to this mentioned partition maps
object vector and "PartitionRef" field from Long Allocation Descriptor.
Lack of checking whether "PartitionRef" field is bigger than available
amount of partition map objects cause read out of bounds and can lead
in some circumstances to arbitrary code execution.

Impact
======

A remote attacker is able to use a specially crafted archive that, when
processed, is leading to arbitrary code execution.

References
==========

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2334
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2335
http://www.talosintel.com/reports/TALOS-2016-0093/
http://www.talosintel.com/reports/TALOS-2016-0094/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160518/9c6e562b/attachment.asc>

More information about the arch-security mailing list