[SECURITY] [DLA 2981-1] lrzip security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2981-1] lrzip security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 13 Apr 2022 15:47:08 +0200
Message-id: <[🔎] 20220413134702.GA2046@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2981-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
April 13, 2022                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : lrzip
Version        : 0.631-1+deb9u2
CVE ID         : CVE-2018-5786 CVE-2020-25467 CVE-2021-27345 CVE-2021-27347 
                 CVE-2022-26291
Debian Bug     : 888506 990583

Several security vulnerabilities have been discovered in lrzip, a
compression program. Invalid pointers, use-after-free and infinite
loops would allow attackers to cause a denial of service or possibly
other unspecified impact via a crafted compressed file.

CVE-2018-5786

    There is an infinite loop and application hang in the get_fileinfo
    function (lrzip.c). Remote attackers could leverage this
    vulnerability to cause a denial of service via a crafted lrz file.

CVE-2020-25467

    A null pointer dereference was discovered lzo_decompress_buf in
    stream.c which allows an attacker to cause a denial of service
    (DOS) via a crafted compressed file.

CVE-2021-27345

    A null pointer dereference was discovered in ucompthread in
    stream.c which allows attackers to cause a denial of service (DOS)
    via a crafted compressed file.

CVE-2021-27347

    Use after free in lzma_decompress_buf function in stream.c in
    allows attackers to cause Denial of Service (DoS) via a crafted
    compressed file.

CVE-2022-26291

    lrzip was discovered to contain a multiple concurrency
    use-after-free between the functions zpaq_decompress_buf() and
    clear_rulist(). This vulnerability allows attackers to cause a
    Denial of Service (DoS) via a crafted lrz file.

For Debian 9 stretch, these problems have been fixed in version
0.631-1+deb9u2.

We recommend that you upgrade your lrzip packages.

For the detailed security status of lrzip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lrzip

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmJW08kACgkQDTl9HeUl
XjDNShAAix3Q86zNa2ULTboMMiNDN2XisfMmXn2Ecbmnb0NvqsPRttQAF3zm4STZ
DDs4Utq3RWbxmrHF9wStKIXY/4jDliGYwVffU0BlT1luW5i+F8QNDduhvHo/82y8
dILFAuzw0ed1BYFGVR1GkS9hl4Mol3qKSbHH/B6DLveGerxiRENAe2L3YNS0DZel
uP3/wU/SbH0QEi4NmH3geMwI3ZW3Ft79G5K/4pTYIspokp55qmQGvyXTZwRJZtvw
MVWswOZ5E7rorUKYYppH4MlLvulUwf7pzOidptwbOW1h7nCjs0YtDG6qejqG+6Vq
BeL5kzEtOMqcb888QJKN9aeJRdehBH9RAI9UAzBw/TMANNHtnzMeD0GqCBp4oQ9m
jdBGOifpEo1w8RwVxKo18o6xvnoyjpA1rYfkqYsh6jyE+A6Qala5Dr07Kq3c4cqu
5F1o/fYwG6+uIO3Y1pQ+HsHlqdFsIzZFFzD3r5aiBM5x/q5eKspcwuWYpAFquPO2
YKraw5UlTnVpKxc3Yczw6laOaZg8lx18G2KdUuQIdE7DSIBMh94uNNbCLl49b9+n
/HiSPuX2UyyGNj2VATUQ1AmsYVcIfKB01BpHz2eOkWipwJgAh2cl6BrBdwb8P2BJ
AafA8SrSBmCcpM4GJo5gc7fQM/mG5wG/undc09IaKearcBMZWzM=
=nViB
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2980-1] zabbix security update
Next by Date: [SECURITY] [DLA 2982-1] python-django security update
Previous by thread: [SECURITY] [DLA 2980-1] zabbix security update
Next by thread: [SECURITY] [DLA 2982-1] python-django security update
Index(es):
- Date
- Thread