Bug 1012574 - (CVE-2016-9296) VUL-0: CVE-2016-9296: p7zip: Null pointer dereference in 7zIn.cpp
(CVE-2016-9296)
VUL-0: CVE-2016-9296: p7zip: Null pointer dereference in 7zIn.cpp
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/176307/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-29 11:55 UTC by Johannes Segitz
Modified: 2017-10-25 20:02 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-11-29 11:55:21 UTC
rh#1394790

A null pointer dereference bug affects the 16.02 and many old versions of p7zip.
A lack of null pointer check for the variable folders.PackPositions in function
CInArchive::ReadAndDecodePackedStreams in CPP/7zip/Archive/7z/7zIn.cpp, as used
in the 7z.so library and in 7z applications, will cause a crash and a denial of
service when decoding malformed 7z files.

Details are available at 
https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1394790
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9296.html
http://www.cvedetails.com/cve/CVE-2016-9296/
https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/
https://github.com/yangke/7zip-null-pointer-dereference
https://sourceforge.net/p/p7zip/bugs/185/
http://www.securityfocus.com/bid/94294
Comment 1 Swamp Workflow Management 2016-11-29 23:01:00 UTC
bugbot adjusting priority
Comment 2 Kristyna Streitova 2016-11-30 14:20:36 UTC
"We find that p7zip of version 16.02, 15.14.1, 15.14, 15.09, 9.38.1, 9.38 have the same problem. Earlier version of p7zip doesn’t have this bug." [1]

It was also tested that our SLE12 p7zip package (p7zip 9.20.1) is not affected (the same version is also in openSUSE:Leap and openSUSE 13.2):

-----
dhcp104:~/7zip # 7za x exploit.7z output

7-Zip (A) [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: exploit.7z


No files to process

Files: 0
Size:       0
Compressed: 146
----


Overview:
|     Product      | Affected | Request |
|------------------|----------|---------|
| SLE12            | no       |       - |
| openSUSE:Leap    | no       |       - |
| openSUSE:13.2    | no       |       - |
| openSUSE:Factory | yes      |  441883 |


We are done here. Reassigning it back to the security-team.


[1] https://github.com/yangke/7zip-null-pointer-dereference/blob/master/p7zip-null-pointer-dereference.docx
Comment 3 Marcus Meissner 2017-10-25 20:02:12 UTC
fix only needed upstream