New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite Loop Vulnerability in get_fileinfo (src/lrzip.c) #91
Comments
|
This was assigned CVE-2018-5786 |
|
Fixed generically with other safeguards. |
|
Hi, Sorry to dig old bugs, I'm part of Debian LTS (Long Term Support) and while looking at this issue, it seems it never got fixed, despite safeguards such as 399336e. During my tests I couldn't find a lrzip version that avoids the infinite loop. Current master (e5e9a61) debug log: Can you confirm? |
|
Thanks. The check looks incomplete in the info version. Will check again shortly. |
|
Fixed in 3495188 |
|
This works for me. Thank you. |
git-svn-id: file:///srv/repos/svn-community/svn@1210679 9fca08f4-af9d-4005-b8df-a31f2cc04f65
git-svn-id: file:///srv/repos/svn-community/svn@1210679 9fca08f4-af9d-4005-b8df-a31f2cc04f65
On latest version (0.631) and the master branch,
there is an infinite loop and application hang in the get_fileinfo function (src/lrzip.c), which can be triggered by the POC with command: lrzip -i $POC
Looking into the get_fileinfo function (src/lrzip.c), we found that: in the "do {} while(last_head)" loop, the "last_head" variable is affected by the POC file and always non-zero, and "lseek" in line 1041 continuously moves file cursor to the same position. That means, "last_head" is always assigned the value from the same file position, resulting in infinite loop.
POC: https://github.com/ProbeFuzzer/poc/blob/master/lrzip/lrzip_0-631_lrzip_infinite-loop_get_fileinfo.lrz
The text was updated successfully, but these errors were encountered: