#204 CVE-2017-17969: ZIP Shrink: Heap Buffer Overflow

[Robert Luberda]

Hi,

I received this bug in Debian

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888297

p7zip, p7zip-full and the non-free component p7zip-rar are affected by two
vulnerabilities:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/?hn

In particular, the RAR3 and LZW algorithm implementations are susceptible to
memory corruption and may compromise a system through specially crafted
archives.

These issues have already been fixed upstream, and a new version of p7zip
(18.0) is available.

Please update all p7zip* packages to their latest versions as soon as possible.

7zip 18.0 beta is available, but in contrary what the bug reporter says I cannot find appropriate fixes for p7zip anywhere.

Regards,
robert

[aONe]

It was fixed in 7zip (18.00), as I read from the landave's post. Not in p7zip yet...

[The Anarcat]

i reviewed the code in 18.00-beta and it seems reasonsable. i worked on a simple patch for this, attached, for review.

[Sérgio M. Basto]

ah your patch is against p7zip-9.20

[Sérgio M. Basto]

patch doesn't build agaisnt p7zip-16.02 because 'kEmpty' was not declared in this scope ...

[aONe]

I saw so few changes on that patch... My diff from 16.02 to 18.00 on this file is way longer.

[aONe]

Sérgio you've deleted your patch? Any of you has a Shrink zip created file to test this patch on a fixed build?

[Sérgio M. Basto]

I delete because "'kEmpty' was not declared in this scope " so for sure was not correct !

[Sérgio M. Basto]

Debian patch

https://anonscm.debian.org/git/users/robert/p7zip.git/tree/debian/patches/13-CVE-2017-17969.patch
https://anonscm.debian.org/git/users/robert/p7zip.git/plain/debian/patches/13-CVE-2017-17969.patch

[The Anarcat]

Sérgio you've deleted your patch? Any of you has a Shrink zip created file to test this patch on a fixed build?

I wish I did as well. I asked the original researcher for a reproducer yesterday, still no news. In the meantime, I have an updated patch which compiles correctly and doesn't seem to cause regression in the normal non-shrink code paths in my summary tests, attached.

For what it's worth, upstream 7zip version 18 has a large diff:

454 files changed, 19621 insertions(+), 9865 deletions(-)

... but those that concern us are fairly small:

CPP/7zip/Compress/ShrinkDecoder.cpp | 182 +
CPP/7zip/Compress/ShrinkDecoder.h | 17

I have assumed (maybe wrongly) that only a part of that diff is relevant to the security issue, but maybe that is incorrect.

Please review!

[The Anarcat]

after discussions with the original researcher, the following minimal patch should now be sufficient.

i unfortunately could not get access to the proof of concept either, so this is only validated by the original researcher.

[The Anarcat]

that latest patch will be released in debian security updates channels shortly.

[Sérgio M. Basto]

both patches aren't aplicable to p7zip_16.02 ...

[aONe]

Same patch from @The Anarcat to apply in 16.02. Let's not forget this patch is just for CVE-2017-17969, maybe the most dangerous is CVE-2018-5996 which affects RAR.