Crypto++ and invalid read in decompressor class

[Jeffrey Walton <noloader () gmail com>]

Hi Everyone,

Crypto++'s (https://www.cryptopp.com/) is a free and open source
library of cryptographic schemes originally written by Wei Dai. Smart
fuzzing revealed Crypto++'s Zinflate class, used by classes like
Gunzip and Inflator, could perform an out-of-bounds read when
decompressing data.

The out-of-bounds read occurs on a table with 30 elements. The table
is static and its storage is allocated in initialized memory. The
attacker can craft a ZIP file that allows a read of the last two
non-existent elements. We believe an attacker can only read 0-bytes
due to the storage allocation. We were not able to escalate it to a
write. We believe its a low risk finding.

We were not able to induce failures in other classes using the
techniques. Other classes include those that are related, like
compressors; and those which are unrelated, like public and private
keys.

The issue is being tracked by the library at
https://github.com/weidai11/cryptopp/issues/414. The Gentoo folks
assigned CVE-2017-9434 to track the issue.

The fix is available in Master. It is also available for several
versions of the library at
https://github.com/weidai11/cryptopp/issues/414#issuecomment-300671740
.

Jeff