1227359 – (CVE-2023-52169) VUL-0: CVE-2023-52169: 7zip,p7zip: out-of-bounds read in NTFS handler allows bytes read beyond the intended buffer size to be presented as a part of a filename listed in the file system image

Bug 1227359 (CVE-2023-52169) - VUL-0: CVE-2023-52169: 7zip,p7zip: out-of-bounds read in NTFS handler allows bytes read beyond the intended buffer size to be presented as a part of a filename listed in the file system image

Summary: VUL-0: CVE-2023-52169: 7zip,p7zip: out-of-bounds read in NTFS handler allows ...

Status:	NEW

Alias:	CVE-2023-52169

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Antonio Teixeira
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/412808/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-52169:8.2:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-07-03 19:18 UTC by SMASH SMASH
Modified:	2024-07-15 20:36 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-07-03 19:18:21 UTC

Reference:
https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/

Details:
The vulnerability affects the "full" implementation (i.e., 7zz and its library), which includes the NTFS parser. Implementations not using the NTFS parser (e.g., 7za and 7zr) aren't affected. The vulnerability was silently fixed in 24.01 (beta). No advisory (or a related change log entry) was issued.

CVE-2023-52169:

The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process.

This over-read bug affects implementations that:
- use 7-Zip as a library to process archives, and
- run a single process to process archives from multiple (untrusted)
sources, and
- allow users to observe file names stored in their processed archives.

(Otherwise, there are no obvious security implications.)

Examples include online tools to convert/extract archives. At least one online service was affected by this vulnerability: i.e., it allowed a remote attacker to leak chunks of data from a server-side process.

Timeline:

* 2023-08-18: the vulnerability was reported to Igor Pavlov.
* 2024-01-31: a fixed version (24.01 beta) is available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52169
https://seclists.org/oss-sec/2024/q3/24

Comment 4 Maintenance Automation 2024-07-15 20:36:13 UTC

SUSE-SU-2024:2475-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1227358, 1227359
CVE References: CVE-2023-52168, CVE-2023-52169
Maintenance Incident: [SUSE:Maintenance:34729](https://smelt.suse.de/incident/34729/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 p7zip-9.20.1-7.6.1
SUSE Linux Enterprise Server 12 SP5 (src):
 p7zip-9.20.1-7.6.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 p7zip-9.20.1-7.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.