Menu

A Null Pointer Dereference Bug of p7zip(including the latest p7zip_16.02)

ossecurity
2016-11-03
2017-01-04
  • ossecurity

    ossecurity - 2016-11-03

    Dear p7zip developers,
    We find a new null pointer dereference bug of p7zip. Here we share the information and hope you can fix it.

    Null Pointer Dereference Bug of p7zip

    1. Bug Overview
    A null pointer dereference bug affects the current and many old versions of p7zip. It is because the lack of check for

    the array variable folders.PackPositions after a loop of initialization. More details is depicted in Table 1. 7-zip

    is a file archiver and p7zip is its linux version.
    The detail bug report and POC is uploaded in this github repository.

    Table 1 A null pointer dereference bug of p7zip

    Item Content
    software p7zip
    program 7za,7z,7zr
    version At least 16.02,15.14.1,15.14,15.09,9.38.1,9.38
    Platform 32bit and 64bit Linux
    Cause&Effect A lack of null pointer check for the variable folders.PackPositions in function:“CInArchive::ReadAndDecodePackedStreams” in CPP/7zip/Archive/7z/7zIn.cpp will cause a crash of p7zip when decoding malformed 7zip files.
    CWE CWE-476,Null pointer dereference

    2. Bug Details
    2.1. Proof of Concept(PoC)
    2.1.1. How to Trigger It
    Here is an example to trigger this bug in Ubuntu14.04i386 LTS.

    cd p7zip
    cp makefile.linux_x32 makefile 
    make(make 7z or make 7zr) # program bin/7za(bin/7z or bin/7zr) will be created.
    cd bin/
    ./7za x exploit.7z output #exploit.7z is a malformed input file.
    

    Here is the crash scene. Download exploit.7z to verify it.

    $ ./7za x exploit.7z output
    
    7-Zip (a) [32] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
    p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,32 bits,4 CPUs x86)
    
    Scanning the drive for archives:
    1 file, 146 bytes (1 KiB)
    
    Extracting archive: exploit.7z
    Segmentation fault (core dumped)
    

    The following code snippet located at CPP/7zip/Archive/7z/7zIn.cpp shows the key cause of this error. The developer

    may miss the situation when the for loop is executed zero times, and folders.PackPositions is null at the same

    time. Thus it causes the null pointer dereference and the program crash.

    HRESULT CInArchive::ReadAndDecodePackedStreams(...)
    {
      ...
      ReadStreamsInfo(...);
    
      CDecoder decoder(_useMixerMT);
    
      for (CNum i = 0; i < folders.NumFolders; i++)
      {
        ...
        if (folders.FolderCRCs.ValidAndDefined(i))
          if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
            ThrowIncorrect();
      }
      HeadersSize += folders.PackPositions[folders.NumPackStreams];//NULL Pointer Dereference
      return S_OK;
    }
    

    We provide the malformed input file exploit.7z and the detail bug report(docx) here.

    Best regards.

    Hengtai Ma, Ke Yang, Xuefei Wang
    Institute of Software Chinese Academy of Sciences, China

     

    Last edit: ossecurity 2016-11-13
  • Igor Pavlov

    Igor Pavlov - 2016-11-03

    It was already reported before:
    https://sourceforge.net/p/p7zip/bugs/185/
    And it was fixed in 7-zip 16.03.

     
  • ossecurity

    ossecurity - 2016-11-03

    Oh, I see. But it seems that the latest p7zip version(p7zip_16.02) still have this problem now. Does p7zip publish a patch or new versions?

     

    Last edit: ossecurity 2016-11-03
    • Igor Pavlov

      Igor Pavlov - 2016-11-03

      Yes, that code was fixed after 16.02.
      I hope p7zip's developer will release new version.
      If you don't want to wait it, you can create patch from reported changes:
      https://sourceforge.net/p/p7zip/bugs/185/

       
  • ossecurity

    ossecurity - 2016-11-13

    Hi, we requested a cve id for this problem: CVE-2016-9296.
    see
    http://www.cvedetails.com/cve/CVE-2016-9296/

     
  • Ramesh Uppuluri

    Ramesh Uppuluri - 2017-01-04

    where can I download the version 16.03 from? I am looking for version with fix for https://sourceforge.net/p/p7zip/bugs/185/ which is fixed in 16.03 according to Igor Pavlov. Thanks.

     
  • Josh

    Josh - 2017-01-04

    p7zip is a portable version of 7zip. And to my understanding, p7zip is not yet up to date with 7zip, it is still at 16.02.

    In order to apply the fix for this CVE, you can manually patch the p7zip source based on the fix in 7zip 16.03. It is possible that your operating system has done so. OpenBSD did, but then, I'm the maintainer of p7zip for OpenBSD and arranged to have patch committed.

     

    Last edit: Josh 2017-01-04
  • Vinu

    Vinu - 2017-03-23

    Any updates on when the next version will be released?

     

Log in to post a comment.