Dear p7zip developers,
We find a new null pointer dereference bug of p7zip. Here we share the information and hope you can fix it.
Null Pointer Dereference Bug of p7zip
1. Bug Overview
A null pointer dereference bug affects the current and many old versions of p7zip. It is because the lack of check for
the array variable folders.PackPositions after a loop of initialization. More details is depicted in Table 1. 7-zip
is a file archiver and p7zip is its linux version.
The detail bug report and POC is uploaded in this github repository.
Table 1 A null pointer dereference bug of p7zip
Item
Content
software
p7zip
program
7za,7z,7zr
version
At least 16.02,15.14.1,15.14,15.09,9.38.1,9.38
Platform
32bit and 64bit Linux
Cause&Effect
A lack of null pointer check for the variable folders.PackPositions in function:“CInArchive::ReadAndDecodePackedStreams” in CPP/7zip/Archive/7z/7zIn.cpp will cause a crash of p7zip when decoding malformed 7zip files.
CWE
CWE-476,Null pointer dereference
2. Bug Details 2.1. Proof of Concept(PoC)
2.1.1. How to Trigger It
Here is an example to trigger this bug in Ubuntu14.04i386 LTS.
cd p7zip
cp makefile.linux_x32 makefile
make(make 7z or make 7zr) # program bin/7za(bin/7z or bin/7zr) will be created.
cd bin/
./7za x exploit.7z output #exploit.7z is a malformed input file.
Yes, that code was fixed after 16.02.
I hope p7zip's developer will release new version.
If you don't want to wait it, you can create patch from reported changes: https://sourceforge.net/p/p7zip/bugs/185/
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
where can I download the version 16.03 from? I am looking for version with fix for https://sourceforge.net/p/p7zip/bugs/185/ which is fixed in 16.03 according to Igor Pavlov. Thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
p7zip is a portable version of 7zip. And to my understanding, p7zip is not yet up to date with 7zip, it is still at 16.02.
In order to apply the fix for this CVE, you can manually patch the p7zip source based on the fix in 7zip 16.03. It is possible that your operating system has done so. OpenBSD did, but then, I'm the maintainer of p7zip for OpenBSD and arranged to have patch committed.
Last edit: Josh 2017-01-04
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear p7zip developers,
We find a new null pointer dereference bug of p7zip. Here we share the information and hope you can fix it.
Null Pointer Dereference Bug of p7zip
1. Bug Overview
A null pointer dereference bug affects the current and many old versions of p7zip. It is because the lack of check for
the array variable
folders.PackPositionsafter a loop of initialization. More details is depicted in Table 1. 7-zipis a file archiver and p7zip is its linux version.
The detail bug report and POC is uploaded in this github repository.
Table 1 A null pointer dereference bug of p7zip
2. Bug Details
2.1. Proof of Concept(PoC)
2.1.1. How to Trigger It
Here is an example to trigger this bug in Ubuntu14.04i386 LTS.
Here is the crash scene. Download exploit.7z to verify it.
The following code snippet located at
CPP/7zip/Archive/7z/7zIn.cppshows the key cause of this error. The developermay miss the situation when the
forloop is executed zero times, andfolders.PackPositionsis null at the sametime. Thus it causes the null pointer dereference and the program crash.
HRESULT CInArchive::ReadAndDecodePackedStreams(...) { ... ReadStreamsInfo(...); CDecoder decoder(_useMixerMT); for (CNum i = 0; i < folders.NumFolders; i++) { ... if (folders.FolderCRCs.ValidAndDefined(i)) if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) ThrowIncorrect(); } HeadersSize += folders.PackPositions[folders.NumPackStreams];//NULL Pointer Dereference return S_OK; }We provide the malformed input file exploit.7z and the detail bug report(docx) here.
Best regards.
Hengtai Ma, Ke Yang, Xuefei Wang
Institute of Software Chinese Academy of Sciences, China
Last edit: ossecurity 2016-11-13
It was already reported before:
https://sourceforge.net/p/p7zip/bugs/185/
And it was fixed in 7-zip 16.03.
Oh, I see. But it seems that the latest p7zip version(p7zip_16.02) still have this problem now. Does p7zip publish a patch or new versions?
Last edit: ossecurity 2016-11-03
Yes, that code was fixed after 16.02.
I hope p7zip's developer will release new version.
If you don't want to wait it, you can create patch from reported changes:
https://sourceforge.net/p/p7zip/bugs/185/
Hi, we requested a cve id for this problem: CVE-2016-9296.
see
http://www.cvedetails.com/cve/CVE-2016-9296/
where can I download the version 16.03 from? I am looking for version with fix for https://sourceforge.net/p/p7zip/bugs/185/ which is fixed in 16.03 according to Igor Pavlov. Thanks.
p7zip is a portable version of 7zip. And to my understanding, p7zip is not yet up to date with 7zip, it is still at 16.02.
In order to apply the fix for this CVE, you can manually patch the p7zip source based on the fix in 7zip 16.03. It is possible that your operating system has done so. OpenBSD did, but then, I'm the maintainer of p7zip for OpenBSD and arranged to have patch committed.
Last edit: Josh 2017-01-04
Any updates on when the next version will be released?