Bug 962528 (CVE-2016-1925) - VUL-0: CVE-2016-1925: lha: Buffer Overflow while parsing level0 and level1 headers
Summary: VUL-0: CVE-2016-1925: lha: Buffer Overflow while parsing level0 and level1 he...
Status: RESOLVED FIXED
Alias: CVE-2016-1925
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/160843/
Whiteboard: CVSSv2:SUSE:CVE-2016-1925:3.3:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-19 09:38 UTC by Johannes Segitz
Modified: 2016-07-28 18:09 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-19 09:38:34 UTC 
CVE-2016-1925

From: Paris Zoumpouloglou
== Overview ==
LHA for UNIX (https://osdn.jp/projects/lha/) is an open source
implementation of the LHA compression utility and associated file format.

== Version ==
All tests were performed using the latest 20b6ba8 commit of the master
branch from https://osdn.jp/projects/lha/scm/git/lha/

== Details ==
Using the afl fuzzer, two cases which triggered a buffer overflow where
discovered. The problem existed in header.c:797-800 and header.c:913-916
while parsing level0 and level1 headers accordingly.

=797-800=

    hdr->header_size = header_size = get_byte();
    checksum = get_byte();

    if (fread(data + COMMON_HEADER_SIZE,
              header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) {
        error("Invalid header (LHarc file ?)");
        return FALSE;   /* finish */
    }

=913-916=

    hdr->header_size = header_size = get_byte();
    checksum = get_byte();

    if (fread(data + COMMON_HEADER_SIZE,
              header_size + 2 - COMMON_HEADER_SIZE, 1, fp) == 0) {
        error("Invalid header (LHarc file ?)");
        return FALSE;   /* finish */
    }


The header_size variable is determined from the first byte of the lha
archive header, which is read by the get_byte function. The returned
value is used in:

header_size + 2 - COMMON_HEADER_SIZE

to determine the elements' size used in fread() .

If the header_size is less than abs(2 - COMMON_HEADER_SIZE) = abs(2 -
21) = 19 then the size parameter is overflowed and a buffer overflow
occurs in fread.

== Timeline ==
2016-01-13 - Bug report submitted
2016-01-16 - Bug fix pushed to master (commit bf2471f)

SLE 11 (SP1 TD, SP3, SP3 TD, SP4) affected

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1925
http://seclists.org/oss-sec/2016/q1/132
Comment 1 Swamp Workflow Management 2016-01-19 23:00:24 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2016-07-28 18:09:47 UTC 
SUSE-SU-2016:1904-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 962528
CVE References: CVE-2016-1925
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    lha-1.14.0.894-3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    lha-1.14.0.894-3.1