Bugzilla – Bug 924906
VUL-0: CVE-2015-2782: unarj: free on invalid pointer due to to buffer overflow
Last modified: 2016-04-27 19:36:30 UTC
via oss-sec: > Jakub Wilk reported arj crashing on a ARJ file in [1]. Guillem Jover > pointed out that the invalid pointer is due to a buffer overflow write > access initiated by a value which is under user control, see [2]. He > prepared as well a patch for this issue[3]. Could assign a CVE for > this issue? > > [1] https://bugs.debian.org/774015 > [2] https://bugs.debian.org/774015#11 > [3] http://git.hadrons.org/gitweb/?p=debian/pkgs/arj.git;a=blob_plain;f=debian/patches/security-afl.patch For purposes of determining the number of CVE IDs, https://bugs.debian.org/774015#11 is considered a 2015 vulnerability announcement, and https://bugs.debian.org/774015#3 is not considered a vulnerability announcement at all. (There was another conceivable interpretation in which part of security-afl.patch fixed an issue discovered by Jakub Wilk in 2014, and another part of security-afl.patch fixed a second similar issue discovered by Guillem Jover in 2015, with two CVEs. We aren't doing that here.) Use CVE-2015-2782. Affected unarj 10 through 11. Dropped from 12 and all maintained openSUSE releases. References: http://seclists.org/oss-sec/2015/q1/1035 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2782 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774015
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-04-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61380
Created attachment 629183 [details] reproducer data for CVE-2015-2782 reproducer data for CVE-2015-2782 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774015#3 [[[ ARJ crashes on the attached (slightly corrupted) ARJ file: $ arj t crash.arj ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [08 Aug 2014] Processing archive: crash.arj Archive created: 2014-12-27 10:40:05, modified: 2014-12-27 10:40:05 Testing limerick Bad file data, CRC error! 1 file(s) Found 1 error(s)! *** Error in `arj': free(): invalid pointer: 0x00000000017e3200 *** Aborted ]]] Expectation when fixed: no crash.
bugbot adjusting priority
Are you able to reproduce it? I've tried unarj on SLE11SP3 but no invalid pointer is here: # unarj t crash.arj UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc. Includes patches applied by SUSE/Novell 2003-2004. Processing archive: crash.arj Archive created: 2022-04-30 17:36:10, modified: 2022-04-30 17:36:10 Testing limerick (|) Bad file data
(In reply to Kristyna Streitova from comment #4) > Are you able to reproduce it? > > I've tried unarj on SLE11SP3 but no invalid pointer is here: > > # unarj t crash.arj > UNARJ (Demo version) 2.63 Copyright (c) 1991-2000 ARJ Software, Inc. > Includes patches applied by SUSE/Novell 2003-2004. > > Processing archive: crash.arj > Archive created: 2022-04-30 17:36:10, modified: 2022-04-30 17:36:10 > Testing limerick (|) > Bad file data We seem to have patched this one by unarj-2.65-overflow.diff in 2004. Closing.