Possible vulnerability fixed in ZPAQ v7.02

[Matt Mahoney <mattmahoneyfl () gmail com>]

I have released an update to the zpaq archiver to patch a possible
vulnerability. zpaq is a journaling archiver for incremental backups.
http://mattmahoney.net/dc/zpaq.html

I discussed the technical details in
http://encode.ru/threads/456-zpaq-updates?p=42632#post42632

zpaq supports forward compatibility between versions by storing the
decompression code in the archive in a virtual machine language called
ZPAQL. As an optimization, zpaq will translate the ZPAQL code into x86
or x86-64. The vulnerability is versions 7.01 and earlier of libzpaq,
an API that provides the compression and decompression services to
zpaq and possibly other applications. One vulnerability allows a
specially crafted archive to write past the end of an array on the
heap. Another allows execution of the generated x86 or x86-64 to fall
off the end of the program and execute unallocated memory. Both bugs
can be triggered by extracting or just listing a specially crafted
archive. I did not investigate whether these bugs could be exploited,
but it seems possible. The patched zpaq v7.02 and libzpaq v7.02 are
available at the above website.

-- 
-- Matt Mahoney, mattmahoneyfl () gmail com