Alerts This Week
Warning Icon 1 637
Alerts This Week
Warning Icon 1 637

Arch Linux: 201605-24 Critical: P7Zip Code Execution Risk

Calendar May 18, 2016 User Avatar LinuxSecurity Advisories
1 - 2 min read
Archlinux Large Esm H500
Topics%20covered

Topics Covered

security advisory critical arbitrary code execution package upgrade Arch Linux p7zip
The package p7zip before version 15.14.1-2 is vulnerable to arbitrary code execution. 
Arch Linux Security Advisory ASA-201605-24
=========================================
Severity: Critical
Date    : 2016-05-18
CVE-ID  : CVE-2016-2334 CVE-2016-2335
Package : p7zip
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package p7zip before version 15.14.1-2 is vulnerable to arbitrary
code execution.

Resolution
=========
Upgrade to 15.14.1-2.

# pacman -Syu "p7zip>=15.14.1-2"

The problems have been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
- CVE-2016-2334 (arbitrary code execution)

An exploitable heap overflow vulnerability exists in the
NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip
that can lead to arbitrary code execution.
Before decompression, ExtractZlibFile method read block size and its
offset from file and after that read block data into static size buffer
"buf". Because there is no check whether size of block is bigger than
size of "buf", malformed size of block exceeding mentioned "buf" size
will cause buffer overflow and heap corruption.

- CVE-2016-2335 (arbitrary code execution)

An out of bound read vulnerability exists in the
CInArchive::ReadFileItem method functionality of 7zip for handling UDF
files that can lead to denial of service or code execution.
Because volumes can have more than one partition map their objects are
keep in object vector. To start looking for item, method tries to
achieve proper partition object using to this mentioned partition maps
object vector and "PartitionRef" field from Long Allocation Descriptor.
Lack of checking whether "PartitionRef" field is bigger than available
amount of partition map objects cause read out of bounds and can lead
in some circumstances to arbitrary code execution.

Impact
=====
A remote attacker is able to use a specially crafted archive that, when
processed, is leading to arbitrary code execution.

References
=========
https://www.cve.org/CVERecord?id=CVE-2016-2334
https://www.cve.org/CVERecord?id=CVE-2016-2335
https://talosintelligence.com/vulnerability_reports/TALOS-2016-0093/
https://talosintelligence.com/vulnerability_reports/TALOS-2016-0094/

Related News

Your message here