SIGSEGV during the processing 7zip archive
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
p7zip (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
SIGSEGV during the processing 7zip archive
# Description
During extraction of the attached 7zip archive via
```
/usr/libexec/
```
a nullpointer dereference is triggered and causes a segmentation fault (SIGSEGV).
This bug allows an attacker to perform a denial of service and possibly opens up
other attack vectors.
To reproduce the crash, we provide scripts alongside the crashing input:
- ./reproduce-
If you need further details, we are happy to assist where possible.
# apt show p7zip-full
Package: p7zip-full
Version: 16.02+dfsg-7build1
Priority: optional
Section: universe/utils
Source: p7zip
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Original-
Bugs: https:/
Installed-Size: 4887 kB
Depends: p7zip (= 16.02+dfsg-
Suggests: p7zip-rar
Breaks: p7zip (<< 15.09+dfsg-3~)
Replaces: p7zip (<< 15.09+dfsg-3~)
Homepage: http://
Task: kubuntu-desktop, kubuntu-full, xubuntu-desktop, lubuntu-desktop, ubuntustudio-
Download-Size: 1187 kB
APT-Manual-
APT-Sources: http://
Description: 7z and 7za file archivers with high compression ratio
# valgrind ubuntu
[+] Running /usr/lib/p7zip/7z e -so -y /testcase
==1== Memcheck, a memory error detector
==1== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1== Command: /usr/lib/p7zip/7z e -so -y /testcase
==1==
==1== Invalid read of size 4
==1== at 0x5282035: UnknownInlinedFun (NsisIn.h:63)
==1== by 0x5282035: NArchive:
==1== by 0x528234E: NArchive:
==1== by 0x52829B2: Open2 (NsisIn.cpp:5537)
==1== by 0x52829B2: NArchive:
==1== by 0x527DA8A: NArchive:
==1== by 0x143291: OpenArchiveSpec
==1== by 0x148B47: CArc::OpenStrea
==1== by 0x149B9C: CArc::OpenStrea
==1== by 0x14A136: CArc::OpenStrea
==1== by 0x14B122: CArchiveLink:
==1== by 0x14C03C: CArchiveLink:
==1== by 0x14C392: CArchiveLink:
==1== by 0x13A94E: Extract(CCodecs*, CObjectVector<
==1== Address 0x14 is not stack'd, malloc'd or (recently) free'd
==1==
==1==
==1== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==1== Access not within mapped region at address 0x14
==1== at 0x5282035: UnknownInlinedFun (NsisIn.h:63)
==1== by 0x5282035: NArchive:
==1== by 0x528234E: NArchive:
==1== by 0x52829B2: Open2 (NsisIn.cpp:5537)
==1== by 0x52829B2: NArchive:
==1== by 0x527DA8A: NArchive:
==1== by 0x143291: OpenArchiveSpec
==1== by 0x148B47: CArc::OpenStrea
==1== by 0x149B9C: CArc::OpenStrea
==1== by 0x14A136: CArc::OpenStrea
==1== by 0x14B122: CArchiveLink:
==1== by 0x14C03C: CArchiveLink:
==1== by 0x14C392: CArchiveLink:
==1== by 0x13A94E: Extract(CCodecs*, CObjectVector<
==1== If you believe this happened as a result of a stack
==1== overflow in your program's main thread (unlikely but
==1== possible), you can try to increase the size of the
==1== main thread stack using the --main-stacksize= flag.
==1== The main thread stack size used in this run was 8388608.
==1==
==1== HEAP SUMMARY:
==1== in use at exit: 5,335,749 bytes in 842 blocks
==1== total heap usage: 3,373 allocs, 2,531 frees, 6,810,051 bytes allocated
==1==
==1== LEAK SUMMARY:
==1== definitely lost: 0 bytes in 0 blocks
==1== indirectly lost: 0 bytes in 0 blocks
==1== possibly lost: 0 bytes in 0 blocks
==1== still reachable: 5,335,749 bytes in 842 blocks
==1== of which reachable via heuristic:
==1== newarray : 1,256 bytes in 1 blocks
==1== suppressed: 0 bytes in 0 blocks
==1== Rerun with --leak-check=full to see details of leaked memory
==1==
==1== For lists of detected and suppressed errors, rerun with: -s
==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res