Bugzilla – Bug 1012574
VUL-0: CVE-2016-9296: p7zip: Null pointer dereference in 7zIn.cpp
Last modified: 2017-10-25 20:02:12 UTC
rh#1394790 A null pointer dereference bug affects the 16.02 and many old versions of p7zip. A lack of null pointer check for the variable folders.PackPositions in function CInArchive::ReadAndDecodePackedStreams in CPP/7zip/Archive/7z/7zIn.cpp, as used in the 7z.so library and in 7z applications, will cause a crash and a denial of service when decoding malformed 7z files. Details are available at https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/ References: https://bugzilla.redhat.com/show_bug.cgi?id=1394790 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9296 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9296.html http://www.cvedetails.com/cve/CVE-2016-9296/ https://sourceforge.net/p/p7zip/discussion/383043/thread/648d34db/ https://github.com/yangke/7zip-null-pointer-dereference https://sourceforge.net/p/p7zip/bugs/185/ http://www.securityfocus.com/bid/94294
bugbot adjusting priority
"We find that p7zip of version 16.02, 15.14.1, 15.14, 15.09, 9.38.1, 9.38 have the same problem. Earlier version of p7zip doesn’t have this bug." [1] It was also tested that our SLE12 p7zip package (p7zip 9.20.1) is not affected (the same version is also in openSUSE:Leap and openSUSE 13.2): ----- dhcp104:~/7zip # 7za x exploit.7z output 7-Zip (A) [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,1 CPU) Processing archive: exploit.7z No files to process Files: 0 Size: 0 Compressed: 146 ---- Overview: | Product | Affected | Request | |------------------|----------|---------| | SLE12 | no | - | | openSUSE:Leap | no | - | | openSUSE:13.2 | no | - | | openSUSE:Factory | yes | 441883 | We are done here. Reassigning it back to the security-team. [1] https://github.com/yangke/7zip-null-pointer-dereference/blob/master/p7zip-null-pointer-dereference.docx
fix only needed upstream