|
Message-ID: <CACFhWPMpUWFenDZrq1Khbb2aMf=LggqK6hs4Uv+VfN9ZKExRTw@mail.gmail.com> Date: Fri, 13 Feb 2015 23:36:30 -0500 From: Matt Mahoney <mattmahoneyfl@...il.com> To: oss-security@...ts.openwall.com Subject: Possible vulnerability fixed in ZPAQ v7.02 I have released an update to the zpaq archiver to patch a possible vulnerability. zpaq is a journaling archiver for incremental backups. http://mattmahoney.net/dc/zpaq.html I discussed the technical details in http://encode.ru/threads/456-zpaq-updates?p=42632#post42632 zpaq supports forward compatibility between versions by storing the decompression code in the archive in a virtual machine language called ZPAQL. As an optimization, zpaq will translate the ZPAQL code into x86 or x86-64. The vulnerability is versions 7.01 and earlier of libzpaq, an API that provides the compression and decompression services to zpaq and possibly other applications. One vulnerability allows a specially crafted archive to write past the end of an array on the heap. Another allows execution of the generated x86 or x86-64 to fall off the end of the program and execute unallocated memory. Both bugs can be triggered by extracting or just listing a specially crafted archive. I did not investigate whether these bugs could be exploited, but it seems possible. The patched zpaq v7.02 and libzpaq v7.02 are available at the above website. -- -- Matt Mahoney, mattmahoneyfl@...il.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.