Menu

#293 CVE-2022-35020 advancecomp: heap buffer overflow via the component inflate()

other
closed-fixed
nobody
None
5
2022-11-23
2022-11-22
Ben Beasley
No

Advancecomp v2.3 was discovered to contain a heap buffer overflow via the component inflate().

https://drive.google.com/file/d/1ScTmAEmHSHvmyDnELYV1DzQTAAAm7XS9/view?usp=sharing
https://github.com/Cvjark/Poc/blob/main/advancecomp/CVE-2022-35020.md

This was reported downstream in Fedora Linux and Fedora EPEL, where I’m the current maintainer of the advancecomp package.

https://bugzilla.redhat.com/show_bug.cgi?id=2127394

Discussion

  • Andrea Mazzoleni

    Andrea Mazzoleni - 2022-11-22
    • status: open --> closed-fixed
     

  • Andrea Mazzoleni

    Andrea Mazzoleni - 2022-11-22

    Fixed in github with the commit "Check size of the delta buffer"

    Here the check of all bugs:

    am@redstar:/mnt/bag/home/am/data/src/advancecomp/FIXED (master)$ ../advmng -z id0_command_advmng_-z_SEGV_sample_No.1
Corrupt compressed data on id0_command_advmng_-z_SEGV_sample_No.1 [at void throw_png_error():pngex.h:37]

am@redstar:/mnt/bag/home/am/data/src/advancecomp/FIXED (master)$ ../advmng -z id2_command_advmng_-z_heap-buffer-overflow_sample_No.1
Corrupt compressed data in IDAT chunk on id2_command_advmng_-z_heap-buffer-overflow_sample_No.1 [at void throw_png_error():pngex.h:37]

am@redstar:/mnt/bag/home/am/data/src/advancecomp/FIXED (master)$ ../advmng -z id30_command_advmng_-z_heap-buffer-overflow_sample_No.2
Invalid move on id30_command_advmng_-z_heap-buffer-overflow_sample_No.2 [at void throw_png_error():pngex.h:37]

am@redstar:/mnt/bag/home/am/data/src/advancecomp/FIXED (master)$ ../advmng -z id4_command_advmng_-z_SEGV_sample_No.2
Invalid move on id4_command_advmng_-z_SEGV_sample_No.2 [at void throw_png_error():pngex.h:37]

am@redstar:/mnt/bag/home/am/data/src/advancecomp/FIXED (master)$ ../advmng -z id54_command_advmng_-z_SEGV_sample_No.3
Invalid move on id54_command_advmng_-z_SEGV_sample_No.3 [at void throw_png_error():pngex.h:37]

am@redstar:/mnt/bag/home/am/data/src/advancecomp/FIXED (master)$ ../advzip -z id0_command_advzip_-x_heap-buffer-overflow_sample_No.1
Truncated end of central dir on id0_command_advzip_-x_heap-buffer-overflow_sample_No.1

am@redstar:/mnt/bag/home/am/data/src/advancecomp/FIXED (master)$ ../advzip -z id1_command_advzip_-x_heap-buffer-overflow_sample_No.2
Truncated end of central dir on id1_command_advzip_-x_heap-buffer-overflow_sample_No.2
     

  • Ben Beasley

    Ben Beasley - 2022-11-23

    Thank you for the quick investigation and fix.

     

Log in to post a comment.