oss-sec mailing list archives
Possible vulnerability fixed in ZPAQ v7.02
From: Matt Mahoney <mattmahoneyfl () gmail com>
Date: Fri, 13 Feb 2015 23:36:30 -0500
I have released an update to the zpaq archiver to patch a possible vulnerability. zpaq is a journaling archiver for incremental backups. http://mattmahoney.net/dc/zpaq.html I discussed the technical details in http://encode.ru/threads/456-zpaq-updates?p=42632#post42632 zpaq supports forward compatibility between versions by storing the decompression code in the archive in a virtual machine language called ZPAQL. As an optimization, zpaq will translate the ZPAQL code into x86 or x86-64. The vulnerability is versions 7.01 and earlier of libzpaq, an API that provides the compression and decompression services to zpaq and possibly other applications. One vulnerability allows a specially crafted archive to write past the end of an array on the heap. Another allows execution of the generated x86 or x86-64 to fall off the end of the program and execute unallocated memory. Both bugs can be triggered by extracting or just listing a specially crafted archive. I did not investigate whether these bugs could be exploited, but it seems possible. The patched zpaq v7.02 and libzpaq v7.02 are available at the above website. -- -- Matt Mahoney, mattmahoneyfl () gmail com
Current thread:
- Possible vulnerability fixed in ZPAQ v7.02 Matt Mahoney (Feb 13)