Headline
CVE-2020-25467: Bug #1893641 “segmentation fault in lzo_decompress_buf, stream.c...” : Bugs : lrzip package : Ubuntu
A null pointer dereference was discovered lzo_decompress_buf in stream.c in Irzip 0.621 which allows an attacker to cause a denial of service (DOS) via a crafted compressed file.
Bug #1893641 reported by Doudou Huang on 2020-08-31
This bug affects 1 person
Affects
Status
Importance
Assigned to
Milestone
lrzip (Ubuntu)
Confirmed
Undecided
Unassigned
Bug Description
Hi, there.
There is invalid memory access in lzo_decompress_buf, stream.c 589 in the lrzip version 0.621 (newest branch 597be1f).
According to the trace, it seems to be an incomplete fix of CVE-2017-8845 and CVE-2019-10654.
System:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.6 LTS"
To reproduce, run:
lrzip -t seg-stream589
This is the output from the terminal:
Decompressing…
Segmentation fault
This is the trace reported by ASAN:
==177389==ERROR: AddressSanitizer: SEGV on unknown address 0x606000010000 (pc 0x7f19986a0144 bp 0x62100001cd54 sp 0x7f1994afed60 T1)
#0 0x7f19986a0143 in lzo1x_decompress (/lib/x86_64-linux-gnu/liblzo2.so.2+0x13143)
#1 0x43faff in lzo_decompress_buf …/stream.c:589
#2 0x43faff in ucompthread …/stream.c:1529
#3 0x7f199804d6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#4 0x7f199747f41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 lzo1x_decompress
Thread T1 created by T0 here:
#0 0x7f19988e51e3 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x361e3)
#1 0x451505 in create_pthread …/stream.c:133
#2 0x451505 in fill_buffer …/stream.c:1694
#3 0x451505 in read_stream …/stream.c:1781
#4 0x18 (<unknown module>)
==177389==ABORTING