Headline

CVE-2018-5786: Infinite Loop Vulnerability in get_fileinfo (src/lrzip.c) · Issue #91 · ckolivas/lrzip

In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and application hang in the get_fileinfo function (lrzip.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.

6 years ago

CVE

Open in Source

#vulnerability #linux #debian #dos

Hi,

Sorry to dig old bugs, I’m part of Debian LTS (Long Term Support) and while looking at this issue, it seems it never got fixed, despite safeguards such as 399336e.

During my tests I couldn’t find a lrzip version that avoids the infinite loop.
Note: unlike all other CVEs fixes surrounding this one, this CVE is triggered with the -i flag (not -t).

Current master (e5e9a61) debug log:

# gdb --args ../master/lrzip/lrzip -i lrzip_0-631_lrzip_infinite-loop_get_fileinfo.lrz
(gdb) run
Starting program: /usr/src/lrzip/master/lrzip/lrzip -i lrzip_0-631_lrzip_infinite-loop_get_fileinfo
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
^C
Program received signal SIGINT, Interrupt.
0x00007ffff736e210 in __read_nocancel () from /lib/x86_64-linux-gnu/libpthread.so.0
(gdb) bt
#0  0x00007ffff736e210 in __read_nocancel () from /lib/x86_64-linux-gnu/libpthread.so.0
#1  0x000055555555d74a in get_header_info (control=control@entry=0x5555557989c0 <local_control>, fd_in=fd_in@entry=3, ctype=ctype@entry=0x7fffffffe1e7 "\003\032", 
    c_len=c_len@entry=0x7fffffffe1f0, u_len=u_len@entry=0x7fffffffe1e8, last_head=last_head@entry=0x7fffffffe1f8, chunk_bytes=2) at lrzip.c:956
#2  0x000055555555df72 in get_fileinfo (control=0x5555557989c0 <local_control>) at lrzip.c:1103
#3  0x0000555555558147 in main (argc=<optimized out>, argv=<optimized out>) at main.c:722
(gdb) frame 2
#2  0x000055555555df72 in get_fileinfo (control=0x5555557989c0 <local_control>) at lrzip.c:1103
1103                if (unlikely(!get_header_info(control, fd_in, &ctype, &c_len, &u_len,
(gdb) list
1098                second_last = last_head;
1099                if (unlikely(last_head + ofs > infile_size))
1100                    failure_goto(("Offset greater than archive size, likely corrupted/truncated archive.\n"), error);
1101                if (unlikely((head_off = lseek(fd_in, last_head + ofs, SEEK_SET)) == -1))
1102                    fatal_goto(("Failed to seek to header data in get_fileinfo\n"), error);
1103                if (unlikely(!get_header_info(control, fd_in, &ctype, &c_len, &u_len,
1104                        &last_head, chunk_byte)))
1105                    return false;
1106                if (unlikely(last_head < 0 || c_len < 0 || u_len < 0))
1107                    failure_goto(("Entry negative, likely corrupted archive.\n"), error);

Can you confirm?

Related news

Ubuntu Security Notice USN-5840-1

Ubuntu Security Notice 5840-1 - It was discovered that Long Range ZIP incorrectly handled pointers. If a user or an automated system were tricked into opening a certain specially crafted ZIP file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. It was discovered that Long Range ZIP incorrectly handled pointers. If a user or an automated system were tricked into opening a certain specially crafted ZIP file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

1 year ago

Packet Storm

Open in Source

#vulnerability #ubuntu #dos #git