http://bugzilla.opensuse.org/show_bug.cgi?id=1037924 Bug ID: 1037924 Summary: VUL-1: lrzip: NULL pointer dereference in join_pthread (stream.c) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 724062 --> http://bugzilla.opensuse.org/attachment.cgi?id=724062&action=edit 00231-lrzip-nullptr-join_pthread_reproducer Ref: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-jo... ============================================================== Description: lrzip is a compression utility that excels at compressing large files. The complete ASan output of the issue: # lrzip -t $FILE ==1329==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002d0 (pc 0x7fa931ad7660 bp 0x7ffff4a30c30 sp 0x7ffff4a309f8 T0) ==1329==The signal is caused by a READ memory access. ==1329==Hint: address points to the zero page. #0 0x7fa931ad765f /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_join.c:34 #1 0x53ee0d in join_pthread /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:147:6 #2 0x53ee0d in fill_buffer /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1697 #3 0x53ee0d in read_stream /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/stream.c:1755 #4 0x531075 in unzip_literal /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:162:16 #5 0x531075 in runzip_chunk /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:320 #6 0x531075 in runzip_fd /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/runzip.c:382 #7 0x519b41 in decompress_file /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/lrzip.c:826:6 #8 0x511074 in main /tmp/portage/app-arch/lrzip-0.631/work/lrzip-0.631/main.c:669:4 #9 0x7fa930d3a78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #10 0x41abf8 in _init (/usr/bin/lrzip+0x41abf8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/nptl/pthread_join.c:34 ==1329==ABORTING Affected version: 0.631 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00231-lrzip-nullptr-join_pthread Timeline: 2017-03-24: bug discovered and reported to upstream 2017-05-07: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: lrzip: NULL pointer dereference in join_pthread (stream.c) ============================================================== (open-)SUSE: https://software.opensuse.org/package/lrzip 0.631 (TW, official repo) 0.621 (42.{1,2}, official repo) ============================================================== k_mikhail@linux-mk500:~> lrzip -t 00231-lrzip-nullptr-join_pthread Decompressing... Ошибка сегментирования (core dumped) k_mikhail@linux-mk500:~> lrzip --version lrzip version 0.621 ============================================================== -- You are receiving this mail because: You are on the CC list for the bug.