Date: Fri, 13 Feb 2015 23:36:30 -0500 From: Matt Mahoney <mattmahoneyfl@...il.com> To: oss-security@...ts.openwall.com Subject: Possible vulnerability fixed in ZPAQ v7.02 I have released an update to the zpaq archiver to patch a possible vulnerability. zpaq is a journaling archiver for incremental backups. http://mattmahoney.net/dc/zpaq.html I discussed the technical details in http://encode.ru/threads/456-zpaq-updates?p=42632#post42632 zpaq supports forward compatibility between versions by storing the decompression code in the archive in a virtual machine language called ZPAQL. As an optimization, zpaq will translate the ZPAQL code into x86 or x86-64. The vulnerability is versions 7.01 and earlier of libzpaq, an API that provides the compression and decompression services to zpaq and possibly other applications. One vulnerability allows a specially crafted archive to write past the end of an array on the heap. Another allows execution of the generated x86 or x86-64 to fall off the end of the program and execute unallocated memory. Both bugs can be triggered by extracting or just listing a specially crafted archive. I did not investigate whether these bugs could be exploited, but it seems possible. The patched zpaq v7.02 and libzpaq v7.02 are available at the above website. -- -- Matt Mahoney, mattmahoneyfl@...il.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ