Mailinglist Archive: opensuse-bugs (4283 mails)

< Previous Next >
[Bug 1037924] New: VUL-1: lrzip: NULL pointer dereference in join_pthread (stream.c)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sun, 07 May 2017 20:40:13 +0000
  • Message-id: <bug-1037924-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1037924


Bug ID: 1037924
Summary: VUL-1: lrzip: NULL pointer dereference in join_pthread
(stream.c)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Created attachment 724062
--> http://bugzilla.opensuse.org/attachment.cgi?id=724062&action=edit
00231-lrzip-nullptr-join_pthread_reproducer

Ref:
https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/
==============================================================
Description:
lrzip is a compression utility that excels at compressing large files.

The complete ASan output of the issue:

# lrzip -t $FILE
==1329==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002d0 (pc
0x7fa931ad7660 bp 0x7ffff4a30c30 sp 0x7ffff4a309f8 T0)
==1329==The signal is caused by a READ memory access.
==1329==Hint: address points to the zero page.
#0 0x7fa931ad765f
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_join.c:34
#1 0x53ee0d in join_pthread
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:147:6
#2 0x53ee0d in fill_buffer
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1697
#3 0x53ee0d in read_stream
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755
#4 0x531075 in unzip_literal
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:162:16
#5 0x531075 in runzip_chunk
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:320
#6 0x531075 in runzip_fd
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382
#7 0x519b41 in decompress_file
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6
#8 0x511074 in main
/tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4
#9 0x7fa930d3a78f in __libc_start_main
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#10 0x41abf8 in _init (/usr/bin/lrzip+0x41abf8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_join.c:34
==1329==ABORTING

Affected version:
0.631

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00231-lrzip-nullptr-join_pthread

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-05-07: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

lrzip: NULL pointer dereference in join_pthread (stream.c)
==============================================================


(open-)SUSE: https://software.opensuse.org/package/lrzip

0.631 (TW, official repo)
0.621 (42.{1,2}, official repo)

==============================================================
k_mikhail@linux-mk500:~> lrzip -t 00231-lrzip-nullptr-join_pthread
Decompressing...
Ошибка сегментирования (core dumped)

k_mikhail@linux-mk500:~> lrzip --version
lrzip version 0.621
==============================================================

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
Follow Ups