Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKeu6dVdYwMWbrqUo34i8JMFWPxorbCwgBEM0LQkZsuojT6Zhw@mail.gmail.com>
Date: Wed, 3 Jul 2024 19:20:41 +0300
From: Maxim Suhanov <dfirblog@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-52168, CVE-2023-52169: buffer overflow, over-read
 vulnerabilities in the 7-Zip archiver

Reference:
https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/

Details:

In short, both vulnerabilities affect the "full" implementation (i.e.,
7zz and its library), which includes the NTFS parser.
Implementations not using the NTFS parser (e.g., 7za and 7zr) aren't affected.
Both vulnerabilities were silently fixed in 24.01 (beta). No advisory
(or a related change log entry) issued.

CVE-2023-52168:
> The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains a heap-based buffer
> overflow that allows an attacker to overwrite two bytes at multiple
> offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10,
> i=11, etc.

This vulnerability would be very hard to exploit to gain code execution.

CVE-2023-52169:
> The NtfsHandler.cpp NTFS handler in 7-Zip through 23.01 contains an out-of-bounds read
> that allows an attacker to read beyond the intended buffer.
> The bytes read beyond the intended buffer are presented as a part of a
> filename listed in the file system image. This has security relevance in
> known web-service use cases where untrusted users can upload files
> and have them extracted by a server-side 7-Zip process.

This over-read bug affects implementations that:
- use 7-Zip as a library to process archives, and
- run a single process to process archives from multiple (untrusted)
sources, and
- allow users to observe file names stored in their processed archives.

(Otherwise, there are no obvious security implications.)

Examples include online tools to convert/extract archives.
At least one online service was affected by this vulnerability: i.e.,
it allowed a remote attacker to leak chunks of data from a server-side
process.

Timeline:

* 2023-08-18: the vulnerability was reported to Igor Pavlov.
* 2024-01-31: a fixed version (24.01 beta) is available.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.