Headline
CVE-2023-39741: heap-buffer-overflow in libzpaq/libzpaq.cpp:1208:25 libzpaq::PostProcessor::write(int) · Issue #246 · ckolivas/lrzip
lrzip v0.651 was discovered to contain a heap overflow via the libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.
@carnil , The actual bug is in ZPAQ. The SDK used here is old. The last SDK (before Matt Mahoney retired), 7.15 has more robust error checking. Using @huanglei3 POC file…
There’s a limit to how much error prevention can be done. If you examine the code in stream.c and other files, you will see exhaustive data checks. a solution is either to update the zpaq SDK like I did with lrzip-next or examine the libzpaq.cpp file at line 1311 and 1208. Or you can try the preventative fix posted above.
I get tired of these attempts to make a program fail. I’d rather people would try and make the programs better. Contribute code.
Fill_buffer stream 1 c_len 981 u_len 6036 last_head 1019
Starting thread 1 to decompress 981 bytes from stream 1
Reading ucomp header at 1048
Fill_buffer stream 1 c_len 0 u_len 0 last_head 0
Skipping empty match block
ZPAQ 2:21%
Thread 3 "lrzip" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7a1e6c0 (LWP 8576)]
libzpaq::PostProcessor::write (this=0x7ffff7a1dc70, c=0) at libzpaq/libzpaq.cpp:1208
1208 z.header[z.hend++]=c; // one byte of pcomp
(gdb) info stack
#0 libzpaq::PostProcessor::write (this=0x7ffff7a1dc70, c=0) at libzpaq/libzpaq.cpp:1208
#1 0x0000555555582ce4 in libzpaq::Decompresser::decompress (this=0x7ffff7a02b60, n=-1) at libzpaq/libzpaq.cpp:1311
#2 0x0000555555582f15 in libzpaq::decompress (in=0x7ffff7a1ddc0, out=0x7ffff7a1dda0) at libzpaq/libzpaq.cpp:1366
#3 0x000055555557a729 in zpaq_decompress (s_buf=0x7ffff0000b70 "", d_len=0x7ffff7a1de68, c_buf=0x5555555ca160 "zPQ\001", <incomplete sequence \304>, c_len=697, msgout=0x7ffff7bf2760 <_IO_2_1_stdout_>, progress=true,
thread=1) at libzpaq/libzpaq.h:539
#4 0x000055555556d063 in zpaq_decompress_buf (control=0x5555555aed40 <local_control>, ucthread=0x5555555c85e0, thread=1) at stream.c:446
#5 0x000055555557190e in ucompthread (data=0x0) at stream.c:1566
#6 0x00007ffff7aa8044 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#7 0x00007ffff7b285fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Using SDK 7.15 from lrzip-next
Fill_buffer stream 1 c_len 0 u_len 0 last_head 0
Skipping empty match block
ZPAQ Error: Empty PCOMP
[Inferior 1 (process 13034) exited with code 01]Related news
giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.