carnil
commented
6 years ago This issue is CVE-2018-5650
Closed ProbeFuzzer closed 6 years ago
carnil
commented
6 years ago This issue is CVE-2018-5650
ckolivas
commented
6 years ago Fixed in 50cfb3b9f68c7458822795e8b87a07dc06b39816
on 0.6.31 (the latest version): there is an infinite loop and application hang in the unzip_match function (src/runzip.c), which can be triggered by the POC with command lrzip -t $POC
Looking into the unzip_match function (src/runzip.c), we found that in the while loop (line 220), the "offset" could be manipulated by a crafted lrz file (line 208). When offset is set to zero, n will always be zero (line 221), which in turn causes len always be non-zero, the infinite loop occurs.
The code segment is: 182 static i64 read_fdhist(rzip_control control, void buf, i64 len) ... 208 offset = read_vchars(control, ss, 0, chunk_bytes); .... 220 while (len) { 221 n = MIN(len, offset); ... 237 len -= n; 238 off_buf += n; 239 total += n; 240 }
POC: https://github.com/ProbeFuzzer/poc/blob/master/lrzip/lrzip_0-631_lrzip_infinite-loop_unzip_match.lrz
The gdb backtrack is as follows: (gdb) bt
0 0x0000000000455782 in md5_process_bytes ()
1 0x0000000000434e76 in unzip_match ()
2 0x0000000000435ae4 in runzip_chunk ()
3 0x00000000004364a3 in runzip_fd ()
4 0x0000000000418704 in decompress_file ()
5 0x000000000040d0f4 in main ()