Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 23:36:30 -0500
From: Matt Mahoney <mattmahoneyfl@...il.com>
To: oss-security@...ts.openwall.com
Subject: Possible vulnerability fixed in ZPAQ v7.02

I have released an update to the zpaq archiver to patch a possible
vulnerability. zpaq is a journaling archiver for incremental backups.
http://mattmahoney.net/dc/zpaq.html

I discussed the technical details in
http://encode.ru/threads/456-zpaq-updates?p=42632#post42632

zpaq supports forward compatibility between versions by storing the
decompression code in the archive in a virtual machine language called
ZPAQL. As an optimization, zpaq will translate the ZPAQL code into x86
or x86-64. The vulnerability is versions 7.01 and earlier of libzpaq,
an API that provides the compression and decompression services to
zpaq and possibly other applications. One vulnerability allows a
specially crafted archive to write past the end of an array on the
heap. Another allows execution of the generated x86 or x86-64 to fall
off the end of the program and execute unallocated memory. Both bugs
can be triggered by extracting or just listing a specially crafted
archive. I did not investigate whether these bugs could be exploited,
but it seems possible. The patched zpaq v7.02 and libzpaq v7.02 are
available at the above website.

-- 
-- Matt Mahoney, mattmahoneyfl@...il.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ