Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 3 Jul 2024 19:20:41 +0300
From: Maxim Suhanov <dfirblog@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-52168, CVE-2023-52169: buffer overflow, over-read
 vulnerabilities in the 7-Zip archiver

Reference:
https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/

Details:

In short, both vulnerabilities affect the "full" implementation (i.e.,
7zz and its library), which includes the NTFS parser.
Implementations not using the NTFS parser (e.g., 7za and 7zr) aren't affected.
Both vulnerabilities were silently fixed in 24.01 (beta). No advisory
(or a related change log entry) issued.

CVE-2023-52168:
> The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains a heap-based buffer
> overflow that allows an attacker to overwrite two bytes at multiple
> offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10,
> i=11, etc.

This vulnerability would be very hard to exploit to gain code execution.

CVE-2023-52169:
> The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains an out-of-bounds read
> that allows an attacker to read beyond the intended buffer.
> The bytes read beyond the intended buffer are presented as a part of a
> filename listed in the file system image. This has security relevance in
> known web-service use cases where untrusted users can upload files
> and have them extracted by a server-side 7-Zip process.

This over-read bug affects implementations that:
- use 7-Zip as a library to process archives, and
- run a single process to process archives from multiple (untrusted)
sources, and
- allow users to observe file names stored in their processed archives.

(Otherwise, there are no obvious security implications.)

Examples include online tools to convert/extract archives.
At least one online service was affected by this vulnerability: i.e.,
it allowed a remote attacker to leak chunks of data from a server-side
process.

Timeline:

* 2023-08-18: the vulnerability was reported to Igor Pavlov.
* 2024-01-31: a fixed version (24.01 beta) is available.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.