Mailinglist Archive: opensuse-bugs (4283 mails)

< Previous Next >
[Bug 1037922] New: VUL-1: lrzip: divide-by-zero in bufRead::get (libzpaq.h)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sun, 07 May 2017 20:27:52 +0000
  • Message-id: <bug-1037922-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1037922


Bug ID: 1037922
Summary: VUL-1: lrzip: divide-by-zero in bufRead::get
(libzpaq.h)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Created attachment 724060
--> http://bugzilla.opensuse.org/attachment.cgi?id=724060&action=edit
00228-lrzip-fpe-bufRead-get_reproducer

Ref:
https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/
=============================================================

Description:
lrzip is a compression utility that excels at compressing large files.

The complete ASan output of the issue:

# lrzip -t $FILE
Decompressing...
ASAN:DEADLYSIGNAL
=================================================================
==8026==ERROR: AddressSanitizer: FPE on unknown address 0x0000005e7957 (pc
0x0000005e7957 bp 0x7fcdf9ba58d0 sp 0x7fcdf9ba5870 T1)
#0 0x5e7956 in bufRead::get()
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:468:41
#1 0x5856f1 in libzpaq::Decompresser::findBlock(double*)
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.cpp:1236:21
#2 0x55f79a in libzpaq::decompress(libzpaq::Reader*, libzpaq::Writer*)
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.cpp:1363:12
#3 0x55f4e2 in zpaq_decompress
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:538:2
#4 0x54b3a4 in zpaq_decompress_buf
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:453:2
#5 0x54b3a4 in ucompthread
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1534
#6 0x7fd33c0594a3 in start_thread
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_create.c:333
#7 0x7fd33b38466c in clone
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109


AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/libzpaq/libzpaq.h:468:41 in
bufRead::get()
Thread T1 created by T0 here:
#0 0x42d49d in pthread_create
/tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:245

#1 0x53e70f in create_pthread
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:133:6
#2 0x53e70f in fill_buffer
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1673
#3 0x53e70f in read_stream
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
#4 0x5303e3 in read_u8
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:55:6
#5 0x5303e3 in read_header
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:144
#6 0x5303e3 in runzip_chunk
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:314
#7 0x5303e3 in runzip_fd
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
#8 0x519b41 in decompress_file
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
#9 0x511074 in main
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
#10 0x7fd33b2bd78f in __libc_start_main
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

==8026==ABORTING

Affected version:
0.631

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00228-lrzip-fpe-bufRead-get

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-05-07: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

lrzip: divide-by-zero in bufRead::get (libzpaq.h)
=============================================================


(open-)SUSE: https://software.opensuse.org/package/lrzip

0.631 (TW, official repo)
0.621 (42.{1,2}, official repo)

=============================================================
k_mikhail@linux-mk500:~> lrzip -t 00228-lrzip-fpe-bufRead-get
Decompressing...
Исключение в операции с плавающей точкой
(core dumped)

k_mikhail@linux-mk500:~> lrzip --version
lrzip version 0.621
=============================================================

Исключение в операции с плавающей точкой
(ru) = Floating point operation
exception (en)

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
Follow Ups