Version in base suite: 0.631+git180528-1 Base version: lrzip_0.631+git180528-1 Target version: lrzip_0.631+git180528-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lrzip/lrzip_0.631+git180528-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lrzip/lrzip_0.631+git180528-1+deb10u1.dsc changelog | 17 +++ patches/CVE-2018-5786.patch | 23 ++++ patches/CVE-2020-25467.patch | 22 +++ patches/CVE-2021-27345,CVE-2021-27347.patch | 158 ++++++++++++++++++++++++++++ patches/CVE-2022-26291.patch | 75 +++++++++++++ patches/CVE-2022-28044.patch | 48 ++++++++ patches/series | 5 7 files changed, 348 insertions(+) diff -Nru lrzip-0.631+git180528/debian/changelog lrzip-0.631+git180528/debian/changelog --- lrzip-0.631+git180528/debian/changelog 2018-05-29 14:39:27.000000000 +0000 +++ lrzip-0.631+git180528/debian/changelog 2022-05-13 00:53:05.000000000 +0000 @@ -1,3 +1,20 @@ +lrzip (0.631+git180528-1+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Security updates: + Two issues that allow remote attackers to cause a denial of service via a + crafted lrz file: + - CVE-2018-5786: Resolve a potential infinite loop and application hang in the + get_fileinfo function. + - CVE-2021-27345: Resolve a null pointer dereference. + * CVE-2021-27347: Resolve a use after free. + - CVE-2020-25467: Resolve a null pointer dereference. + - CVE-2022-26291: Resolve a multiple concurrency use-after-free. + A memory corruption issue: + - CVE-2022-28044: Resolve a potential heap corruption. + + -- Stefano Rivera Thu, 12 May 2022 20:53:05 -0400 + lrzip (0.631+git180528-1) unstable; urgency=high * Git snapshot release to fix security issue: diff -Nru lrzip-0.631+git180528/debian/patches/CVE-2018-5786.patch lrzip-0.631+git180528/debian/patches/CVE-2018-5786.patch --- lrzip-0.631+git180528/debian/patches/CVE-2018-5786.patch 1970-01-01 00:00:00.000000000 +0000 +++ lrzip-0.631+git180528/debian/patches/CVE-2018-5786.patch 2022-05-13 00:53:05.000000000 +0000 @@ -0,0 +1,23 @@ +From: Con Kolivas +Date: Tue, 12 Apr 2022 19:05:59 +1000 +Subject: [PATCH] Check for invalid repeated head that can lead to infinite + loop in info mode. + +Origin: upstream, https://github.com/ckolivas/lrzip/commit/3495188cd8f2215a9feea201f3e05c1341ed95fb +--- + lrzip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lrzip.c b/lrzip.c +index c8f8195..5408670 100644 +--- a/lrzip.c ++++ b/lrzip.c +@@ -1059,7 +1059,7 @@ next_chunk: + do { + i64 head_off; + +- if (unlikely(last_head && last_head < second_last)) ++ if (unlikely(last_head && last_head <= second_last)) + failure_goto(("Invalid earlier last_head position, corrupt archive.\n"), error); + second_last = last_head; + if (unlikely(last_head + ofs > infile_size)) diff -Nru lrzip-0.631+git180528/debian/patches/CVE-2020-25467.patch lrzip-0.631+git180528/debian/patches/CVE-2020-25467.patch --- lrzip-0.631+git180528/debian/patches/CVE-2020-25467.patch 1970-01-01 00:00:00.000000000 +0000 +++ lrzip-0.631+git180528/debian/patches/CVE-2020-25467.patch 2022-05-13 00:53:05.000000000 +0000 @@ -0,0 +1,22 @@ +From: Con Kolivas +Date: Sun, 14 Feb 2021 12:58:22 +1100 +Subject: Use lzo1x decompress safe to cope with corrupt archives. + +Origin: upstream, https://github.com/ckolivas/lrzip/commit/e74a11c21bb89d1f48632d8a08f6d66eee923a80 +--- + stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/stream.c b/stream.c +index 4093a87..fbba0b1 100644 +--- a/stream.c ++++ b/stream.c +@@ -585,7 +585,7 @@ static int lzo_decompress_buf(rzip_control *control __UNUSED__, struct uncomp_th + goto out; + } + +- lzerr = lzo1x_decompress((uchar*)c_buf, ucthread->c_len, (uchar*)ucthread->s_buf, &dlen, NULL); ++ lzerr = lzo1x_decompress_safe((uchar*)c_buf, ucthread->c_len, (uchar*)ucthread->s_buf, &dlen, NULL); + if (unlikely(lzerr != LZO_E_OK)) { + print_err("Failed to decompress buffer - lzerr=%d\n", lzerr); + ret = -1; diff -Nru lrzip-0.631+git180528/debian/patches/CVE-2021-27345,CVE-2021-27347.patch lrzip-0.631+git180528/debian/patches/CVE-2021-27345,CVE-2021-27347.patch --- lrzip-0.631+git180528/debian/patches/CVE-2021-27345,CVE-2021-27347.patch 1970-01-01 00:00:00.000000000 +0000 +++ lrzip-0.631+git180528/debian/patches/CVE-2021-27345,CVE-2021-27347.patch 2022-05-13 00:53:05.000000000 +0000 @@ -0,0 +1,158 @@ +From: "Laszlo Boszormenyi (GCS)" +Date: Thu, 12 May 2022 21:00:14 -0400 +Subject: CVE-2021-27345,CVE-2021-27347 + +Origin: https://github.com/ckolivas/lrzip/commit/be884d09e09b00fbddd31b75dc1f4736d72006a8 +Reviewed-by: Sylvain Beucler +Last-Update: 2022-04-13 + +From be884d09e09b00fbddd31b75dc1f4736d72006a8 Mon Sep 17 00:00:00 2001 +From: Con Kolivas +Date: Mon, 15 Feb 2021 15:20:12 +1100 +Subject: [PATCH] Deallocate runzip structures after all runzip chunks are + complete to avoid a race in the case of a failed chunk decompressing. +--- + lrzip_private.h | 11 +++++++++++ + runzip.c | 19 +++++++++++++++++++ + stream.c | 27 ++++++++++++++++++++++----- + 3 files changed, 52 insertions(+), 5 deletions(-) + +diff --git a/lrzip_private.h b/lrzip_private.h +index 6c0acd4..1f8326b 100644 +--- a/lrzip_private.h ++++ b/lrzip_private.h +@@ -351,6 +351,12 @@ struct checksum { + + typedef i64 tag; + ++struct runzip_node { ++ struct stream_info *sinfo; ++ pthread_t *pthreads; ++ struct runzip_node *prev; ++}; ++ + struct rzip_state { + void *ss; + struct level *level; +@@ -462,6 +468,10 @@ struct rzip_control { + void (*next_tag)(rzip_control *, struct rzip_state *, i64, tag *); + tag (*full_tag)(rzip_control *, struct rzip_state *, i64); + i64 (*match_len)(rzip_control *, struct rzip_state *, i64, i64, i64, i64 *); ++ ++ pthread_t *pthreads; ++ struct runzip_node *rulist; ++ struct runzip_node *ruhead; + }; + + struct stream { +@@ -487,6 +497,7 @@ struct stream_info { + i64 total_read; + i64 ram_alloced; + i64 size; ++ struct uncomp_thread *ucthreads; + long thread_no; + long next_thread; + int chunks; +diff --git a/runzip.c b/runzip.c +index f1a3d78..27ddd21 100644 +--- a/runzip.c ++++ b/runzip.c +@@ -246,6 +246,21 @@ static i64 unzip_match(rzip_control *control, void *ss, i64 len, uint32 *cksum, + return total; + } + ++static void clear_rulist(rzip_control *control) ++{ ++ while (control->ruhead) { ++ struct runzip_node *node = control->ruhead; ++ struct stream_info *sinfo = node->sinfo; ++ ++ dealloc(sinfo->ucthreads); ++ dealloc(node->pthreads); ++ dealloc(sinfo->s); ++ dealloc(sinfo); ++ control->ruhead = node->prev; ++ dealloc(node); ++ } ++} ++ + /* decompress a section of an open file. Call fatal_return(() on error + return the number of bytes that have been retrieved + */ +@@ -363,6 +378,10 @@ static i64 runzip_chunk(rzip_control *control, int fd_in, i64 expected_size, i64 + if (unlikely(close_stream_in(control, ss))) + fatal("Failed to close stream!\n"); + ++ /* We can now safely delete sinfo and pthread data of all threads ++ * created. */ ++ clear_rulist(control); ++ + return total; + } + +diff --git a/stream.c b/stream.c +index 0dc68be..4093a87 100644 +--- a/stream.c ++++ b/stream.c +@@ -1076,7 +1076,7 @@ void *open_stream_in(rzip_control *control, int f, int n, char chunk_bytes) + if (unlikely(!threads)) + return NULL; + +- ucthread = calloc(sizeof(struct uncomp_thread), total_threads); ++ sinfo->ucthreads = ucthread = calloc(sizeof(struct uncomp_thread), total_threads); + if (unlikely(!ucthread)) { + dealloc(sinfo); + dealloc(threads); +@@ -1090,6 +1090,8 @@ void *open_stream_in(rzip_control *control, int f, int n, char chunk_bytes) + sinfo->s = calloc(sizeof(struct stream), n); + if (unlikely(!sinfo->s)) { + dealloc(sinfo); ++ dealloc(threads); ++ dealloc(ucthread); + return NULL; + } + +@@ -1211,6 +1213,8 @@ again: + failed: + dealloc(sinfo->s); + dealloc(sinfo); ++ dealloc(threads); ++ dealloc(ucthread); + return NULL; + } + +@@ -1834,6 +1838,20 @@ int close_stream_out(rzip_control *control, void *ss) + return 0; + } + ++/* Add to an runzip list to safely deallocate memory after all threads have ++ * returned. */ ++static void add_to_rulist(rzip_control *control, struct stream_info *sinfo) ++{ ++ struct runzip_node *node = calloc(sizeof(struct runzip_node), 1); ++ ++ if (unlikely(!node)) ++ failure("Failed to calloc struct node in add_rulist\n"); ++ node->sinfo = sinfo; ++ node->pthreads = control->pthreads; ++ node->prev = control->rulist; ++ control->ruhead = node; ++} ++ + /* close down an input stream */ + int close_stream_in(rzip_control *control, void *ss) + { +@@ -1850,10 +1868,9 @@ int close_stream_in(rzip_control *control, void *ss) + dealloc(sinfo->s[i].buf); + + output_thread = 0; +- dealloc(ucthread); +- dealloc(threads); +- dealloc(sinfo->s); +- dealloc(sinfo); ++ /* We cannot safely release the sinfo and pthread data here till all ++ * threads are shut down. */ ++ add_to_rulist(control, sinfo); + + return 0; + } diff -Nru lrzip-0.631+git180528/debian/patches/CVE-2022-26291.patch lrzip-0.631+git180528/debian/patches/CVE-2022-26291.patch --- lrzip-0.631+git180528/debian/patches/CVE-2022-26291.patch 1970-01-01 00:00:00.000000000 +0000 +++ lrzip-0.631+git180528/debian/patches/CVE-2022-26291.patch 2022-05-13 00:53:05.000000000 +0000 @@ -0,0 +1,75 @@ +From: "Laszlo Boszormenyi (GCS)" +Date: Thu, 12 May 2022 21:00:14 -0400 +Subject: CVE-2022-26291 + +Origin: https://github.com/ckolivas/lrzip/commit/4b3942103b57c639c8e0f31d6d5fd7bac53bbdf4 +Reviewed-by: Sylvain Beucler +Last-Update: 2022-04-13 + +From 4b3942103b57c639c8e0f31d6d5fd7bac53bbdf4 Mon Sep 17 00:00:00 2001 +From: Con Kolivas +Date: Sat, 26 Feb 2022 10:11:49 +1100 +Subject: [PATCH] Fix possible race condition between zpaq_decompress_buf() and + clear_rulist() function as reported by wcventure. +--- + lrzip.c | 8 +++++++- + runzip.c | 6 +----- + runzip.h | 1 + + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/lrzip.c b/lrzip.c +index 9f65286..c8f8195 100644 +--- a/lrzip.c ++++ b/lrzip.c +@@ -837,8 +837,14 @@ bool decompress_file(rzip_control *control) + + print_progress("Decompressing...\n"); + +- if (unlikely(runzip_fd(control, fd_in, fd_out, fd_hist, expected_size) < 0)) ++ if (unlikely(runzip_fd(control, fd_in, fd_out, fd_hist, expected_size) < 0)) { ++ clear_rulist(control); + return false; ++ } ++ ++ /* We can now safely delete sinfo and pthread data of all threads ++ * created. */ ++ clear_rulist(control); + + if (STDOUT && !TMP_OUTBUF) { + if (unlikely(!dump_tmpoutfile(control, fd_out))) +diff --git a/runzip.c b/runzip.c +index 27ddd21..550f24f 100644 +--- a/runzip.c ++++ b/runzip.c +@@ -246,7 +246,7 @@ static i64 unzip_match(rzip_control *control, void *ss, i64 len, uint32 *cksum, + return total; + } + +-static void clear_rulist(rzip_control *control) ++void clear_rulist(rzip_control *control) + { + while (control->ruhead) { + struct runzip_node *node = control->ruhead; +@@ -378,10 +378,6 @@ static i64 runzip_chunk(rzip_control *control, int fd_in, i64 expected_size, i64 + if (unlikely(close_stream_in(control, ss))) + fatal("Failed to close stream!\n"); + +- /* We can now safely delete sinfo and pthread data of all threads +- * created. */ +- clear_rulist(control); +- + return total; + } + +diff --git a/runzip.h b/runzip.h +index 1ed68e6..310d018 100644 +--- a/runzip.h ++++ b/runzip.h +@@ -22,6 +22,7 @@ + + #include "lrzip_private.h" + ++void clear_rulist(rzip_control *control); + i64 runzip_fd(rzip_control *control, int fd_in, int fd_out, int fd_hist, i64 expected_size); + + #endif diff -Nru lrzip-0.631+git180528/debian/patches/CVE-2022-28044.patch lrzip-0.631+git180528/debian/patches/CVE-2022-28044.patch --- lrzip-0.631+git180528/debian/patches/CVE-2022-28044.patch 1970-01-01 00:00:00.000000000 +0000 +++ lrzip-0.631+git180528/debian/patches/CVE-2022-28044.patch 2022-05-13 00:53:05.000000000 +0000 @@ -0,0 +1,48 @@ +From: Con Kolivas +Date: Fri, 25 Feb 2022 22:35:20 +1100 +Subject: Fix control->suffix being deallocated as heap memory as reported by + Pietro Borrello. + +Origin: upstream, https://github.com/ckolivas/lrzip/commit/5faf80cd53ecfd16b636d653483144cd12004f46 +--- + lrzip.c | 2 +- + main.c | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lrzip.c b/lrzip.c +index 5408670..a08228e 100644 +--- a/lrzip.c ++++ b/lrzip.c +@@ -1333,7 +1333,7 @@ bool initialise_control(rzip_control *control) + control->msgerr = stderr; + register_outputfile(control, control->msgout); + control->flags = FLAG_SHOW_PROGRESS | FLAG_KEEP_FILES | FLAG_THRESHOLD; +- control->suffix = ".lrz"; ++ control->suffix = strdup(".lrz"); + control->compression_level = 7; + control->ramsize = get_ram(control); + if (unlikely(control->ramsize == -1)) +diff --git a/main.c b/main.c +index 6466df4..9a4fcbf 100644 +--- a/main.c ++++ b/main.c +@@ -438,7 +438,8 @@ int main(int argc, char *argv[]) + if (unlikely(STDOUT)) + failure("Cannot specify an output filename when outputting to stdout\n"); + control->outname = optarg; +- control->suffix = ""; ++ dealloc(control->suffix); ++ control->suffix = strdup(""); + break; + case 'O': + if (control->outname) /* can't mix -o and -O */ +@@ -471,7 +472,8 @@ int main(int argc, char *argv[]) + failure("Specified output filename already, can't specify an extension.\n"); + if (unlikely(STDOUT)) + failure("Cannot specify a filename suffix when outputting to stdout\n"); +- control->suffix = optarg; ++ dealloc(control->suffix); ++ control->suffix = strdup(optarg); + break; + case 't': + if (control->outname) diff -Nru lrzip-0.631+git180528/debian/patches/series lrzip-0.631+git180528/debian/patches/series --- lrzip-0.631+git180528/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ lrzip-0.631+git180528/debian/patches/series 2022-05-13 00:53:05.000000000 +0000 @@ -0,0 +1,5 @@ +CVE-2021-27345,CVE-2021-27347.patch +CVE-2022-26291.patch +CVE-2020-25467.patch +CVE-2018-5786.patch +CVE-2022-28044.patch