An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of crafted file.

XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils.

The core of the XZ Utils compression code is based on LZMA SDK, but it has been modified quite a lot to be suitable for XZ Utils. The primary compression algorithm is currently LZMA2, which is used inside the .xz container format. With typical files, XZ Utils create 30 % smaller output than gzip and 15 % smaller output than bzip2.

XZ Utils consist of several components:

*   liblzma is a compression library with an API similar to that of zlib.
*   xz is a command line tool with syntax similar to that of gzip.
*   xzdec is a decompression-only tool smaller than the full-featured xz tool.
*   A set of shell scripts (xzgrep, xzdiff, etc.) have been adapted from gzip to ease viewing, grepping, and comparing compressed files.
*   Emulation of command line tools of LZMA Utils eases transition from LZMA Utils to XZ Utils.

While liblzma has a zlib-like API, liblzma doesn't include any file I/O functions. A separate I/O library is planned, which would abstract handling of .gz, .bz2, and .xz files with an easy to use API.

**Documentation**

Man page with a keyword index: xz(1)

Doxygen-generated liblzma API documentation is also included in the source packages since XZ Utils 5.4.2.

**Source code**

Versions 5.2.12, 5.4.3, and later have been signed with Jia Tan's OpenPGP key. The older files have been signed with Lasse Collin's OpenPGP key.

See the NEWS file for a summary of changes between versions.

**Stable**

5.4.4 was released on 2023-08-02. A minor bug fix release 5.2.12 to the old stable branch was made on 2023-05-04. This is probably the last release in the 5.2.x series.

XZ Utils releases are hosted on GitHub and thus some of the links below redirect to the XZ Utils release section on GitHub. Release files are also available in the XZ Utils files section on Sourceforge.

xz-5.4.4.tar.gz (2808 KiB) signature  
xz-5.4.4.tar.bz2 (2116 KiB) signature  
xz-5.4.4.tar.zst (1680 KiB) signature  
xz-5.4.4.tar.xz (1623 KiB) signature

Probably the last release of the old stable branch:

xz-5.2.12.tar.gz (2140 KiB) signature  
xz-5.2.12.tar.bz2 (1593 KiB) signature  
xz-5.2.12.tar.zst (1317 KiB) signature  
xz-5.2.12.tar.xz (1275 KiB) signature

**Development**

The new APIs, command line options etc. in development releases should be considered unstable. Incompatible changes to unstable features may be done before they get included in a stable release.

There currently are no development releases.

**Old versions**

Source and binary packages of old XZ Utils releases are available on a separate page.

**Git repository**

The primary repository is on GitHub:

git clone https://github.com/tukaani-project/xz

It is mirrored with some delay to git.tukaani.org:

git clone https://git.tukaani.org/xz.git

Gitweb

Branches:

*   **master**: the latest development code
*   **v5.4**: fixes for the next 5.4.x release
*   **v5.2**: fixes for the next 5.2.x release
*   **v5.0**: fixes for the next 5.0.x release (unmaintained)

Building the code from the git repository requires GNU Autotools. Here are the _minimum_ versions that should work with XZ Utils; using the latest versions is strongly recommended:

*   Autoconf 2.69
*   Automake 1.12
*   gettext 0.19.6 (Note: autopoint depends on cvs!)
*   Libtool 2.4

The following are optional dependencies. The autogen.sh script will fail if they are missing but autogen.sh takes command line arguments to disable these dependencies.

*   po4a is needed for translated documentation (man pages). To build without po4a, use --no-po4a with autogen.sh.
*   Doxygen is needed to generate liblzma API documentation. To build without Doxygen, use --no-doxygen with autogen.sh.

**Security issues****xzgrep CVE-2022-1271, ZDI-CAN-16587**

A patch to fix a security vulnerability in xzgrep (CVE-2022-1271, ZDI-CAN-16587) was made public on 2022-04-07. The patch applies to 4.999.9beta to 5.2.5, 5.3.1alpha, and 5.3.2alpha. Newer XZ Utils releases include an improved fix for the problem.

It is a severe issue if an attacker can control the filenames that are given on the xzgrep command line. The vulnerability was discovered by cleemy desu wayo working with Trend Micro Zero Day Initiative. For more information, see the detailed description in the patch file linked below.

xzgrep-ZDI-CAN-16587.patch  
xzgrep-ZDI-CAN-16587.patch.sig

**Bindings****Python**

Python 3.3 includes bindings for liblzma. A backport of these bindings are available for Python 2 in the backports.lzma package.

lzmaffi is another Python binding which adds random-access decompression support.

The original Python 2 binding for liblzma is PylibLZMA.

**Perl**

Perl bindings for liblzma: IO-Compress-Lzma and Compress-Raw-Lzma.

**Haskell**

Haskell bindings.

**Delphi and Free Pascal**

Bindings and example programs for Delphi and Free Pascal are available here.

**Pre-built binaries**

Many free software operating systems already provide easy-to-install XZ Utils binaries. It doesn't make sense to provide links to all those here. Instead, binaries or links to websites providing binaries are listed here only for operating systems that don't have well-known repositories where users would get software like this.

If you have a website that provides up-to-date XZ Utils binaries for an operating system that meets the the criteria above, let me know and I will include a link here. Note that I won't host the binaries themselves without a good reason.

**Windows**

The Windows version of XZ Utils includes binaries for 32-bit and 64-bit x86. The binaries only depend on msvcrt.dll, which is available on Windows 98 and later out of the box.

*   Command line tools: xz, xzdec, lzmadec, lzmainfo
*   Shared (DLL) and static liblzma, required C header files, and liblzma.def to create import libraries for non-GNU toolchains (no import library is needed with GNU toolchain)
*   Documentation is in plain text (UTF-8) format. The man pages of the command line tools are included also as PDF.

5.2.10, 5.2.11, or 5.2.12 do not have anything significant for Windows so only 5.2.9 is here. 5.4.x builds are not provided for now.

xz-5.2.9-windows.zip (1473 KiB) signature  
xz-5.2.9-windows.7z (708 KiB) signature

**DOS**

The DOS version of XZ Utils includes only the xz command line tool and some documentation. The xz tool should work e.g. on FreeDOS (also in DOSEMU), MS-DOS, and Windows 95/98/98SE/ME. This doesn't necessarily work in DOSBox at all, and at least some problems are expected under Windows XP Command Prompt (signal handling doesn't work).

Since the DOS version is naturally going to get very little testing, it is recommended to use the Windows version instead of the DOS version if you need xz under Windows 98 or later. It is likely that that the DOS version will be updated only occasionally.

5.2.0 and later have experimental support for 8.3 filenames. See xz-dos.txt in the binary package or dos/README.txt in the source package for details.

xz-5.4.0-dos.zip (277 KiB) signature

The package includes some copylefted code from DJGPP and CWSDPMI. The relevant source code is available from their home pages, and copies are also available below.

djlsr205.zip (2000 KiB)  
djtst205.zip (1061 KiB)  
csdpmi7s.zip (88 KiB)

Juan Manuel Guerrero has made a more complete port of XZ Utils to DOS. It also has support for short file names (8.3), but the naming method is different from the one found in 5.2.0 and later. It is available from DJGPP mirrors under /current/v2apps (e.g. xz-500b.zip for 5.0.0 binaries).

**Supported platforms**

Below is an incomplete and somewhat vague (version numbers mostly missing) list of operating systems on which XZ Utils should work. The compiler(s) or toolchains are mentioned in parenthesis. GCC refers to GCC 3 or later. If you have additions or corrections, please email them to me.

*   GNU/Linux (GCC, Clang, ICC, IBM XL C)
*   GNU/HURD (GCC)
*   DragonflyBSD (GCC)
*   FreeBSD (GCC, Clang)
*   MirBSD (GCC)
*   NetBSD (GCC)
*   OpenBSD (Clang, GCC)
*   MINIX 3 (GCC) \[1\]
*   Haiku (GCC4)
*   Mac OS X (GCC)
*   Solaris 8, 9, 10, 11 (GCC, Sun Studio) \[3\]
*   Solaris 2.6, 7 (GCC)
*   HP-UX (GCC, HP ANSI C) \[2\]
*   Tru64 (GCC, Compaq C compiler) \[1\]
*   IRIX (MIPSpro) \[1\]
*   AIX (GCC, IBM XL C)
*   z/OS (IBM XL C)
*   QNX (compilers?)
*   OpenVMS (HP C compiler) \[1\]
*   OpenVOS 17 (GCC)
*   SCO OpenServer 5.0.7 (GCC 3.4.6, 4.2.4) \[4\]
*   Windows 95 and later (GCC/MinGW, GCC/MinGW-w64, GCC/Cygwin, GCC/Interix, Visual Studio (VS can only build liblzma)) \[1\]
*   OS/2, eComStation (GCC)
*   DOS e.g. FreeDOS and MS-DOS (GCC/DJGPP) \[1\]

\[1\] See also the platform-specific notes in the INSTALL file.

\[2\] 2010-09-22: HP ANSI C compiler crashes when compiling XZ Utils on PA-RISC. On Itanium there are no problems.

\[3\] On Solaris 8 and 9 one may need to pass ac\_cv\_prog\_cc\_c99= to configure if using Sun Studio.

\[4\] Use --disable-threads when running configure.

**Licensing**

The most interesting parts of XZ Utils (e.g. liblzma) are in the public domain. You can do whatever you want with the public domain parts.

Some parts of XZ Utils (e.g. build system and some utilities) are under different free software licenses such as GNU LGPLv2.1, GNU GPLv2, or GNU GPLv3.

See the file COPYING for more details.

CVE-2020-22916: XZ Utils

Buffer Overflow vulnerability in ExtractorInformation function in streamExtractor.cpp in oggvideotools 0.9.1 allows remaote attackers to run arbitrary code via opening of crafted ogg file.

I use AddressSanitizer to build oggvideotools 0.9.1 and get segment fault as below. I use the command:  
oggLength <testcase>  
The testcase I used is put in the attachment.  
This software can also be installed by command apt install oggvideotools but the version is 0.8a-7, which can also get segment fault with the same testcase.</testcase>

MediaConverter::setAvailable(): decoder is not configured or has ended  
MediaConverter::setAvailable(): decoder is not configured or has ended  
MediaConverter::setAvailable(): decoder is not configured or has ended  
\=================================================================  
\==32390==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e4b8 at pc 0x00000046e493 bp 0x7ffe9af99060 sp 0x7ffe9af99050  
WRITE of size 4 at 0x60600000e4b8 thread T0  
#0 0x46e492 in ExtractorInformation::operator=(ExtractorInformation const&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17  
#1 0x4407e2 in StreamConfig::operator=(StreamConfig const&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamConfig.h:12  
#2 0x43ea66 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:210  
#3 0x43b0c4 in oggLengthCmd(int, char\*\*) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93  
#4 0x43b4e5 in main /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136  
#5 0x7f13e016782f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)  
#6 0x43aa78 in \_start (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x43aa78)</streamconfig,>

0x60600000e4b8 is located 0 bytes to the right of 56-byte region \[0x60600000e480,0x60600000e4b8)  
allocated by thread T0 here:  
#0 0x7f13e0b42532 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99532)  
#1 0x4468b4 in \_\_gnu\_cxx::new\_allocator<streamconfig>::allocate(unsigned long, void const_) /usr/include/c++/5/ext/new\_allocator.h:104  
#2 0x4460b3 in std::allocator\_traits<std::allocator<streamconfig> >::allocate(std::allocator<streamconfig>&, unsigned long) /usr/include/c++/5/bits/alloc\_traits.h:491  
#3 0x4451fd in std::\_Vector\_base<streamconfig, std::allocator<streamconfig=""> >::\_M\_allocate(unsigned long) /usr/include/c++/5/bits/stl\_vector.h:170  
#4 0x443257 in std::vector<streamconfig, std::allocator<streamconfig=""> >::\_M\_default\_append(unsigned long) (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x443257)  
#5 0x441d5e in std::vector<streamconfig, std::allocator<streamconfig=""> >::resize(unsigned long) (/home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/install/bin/oggLength+0x441d5e)  
#6 0x43e9a5 in StreamSerializer::getStreamConfig(std::vector<streamconfig, std::allocator<streamconfig=""> >&) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:206  
#7 0x43b0c4 in oggLengthCmd(int, char</streamconfig,></streamconfig,></streamconfig,></streamconfig,></streamconfig></std::allocator<streamconfig>_\*) /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93  
#8 0x43b4e5 in main /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136  
#9 0x7f13e016782f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)</streamconfig>

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools\_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17 ExtractorInformation::operator=(ExtractorInformation const&)  
Shadow bytes around the buggy address:  
0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c0c7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c0c7fff9c90: 00 00 00 00 00 00 00\[fa\]fa fa fa fa 00 00 00 00  
0x0c0c7fff9ca0: 00 00 05 fa fa fa fa fa fd fd fd fd fd fd fd fa  
0x0c0c7fff9cb0: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa  
0x0c0c7fff9cc0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd  
0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 06 fa  
0x0c0c7fff9ce0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==32390==ABORTING

My system is:  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04

The software information:  
oggvideotools:  
Installed: 0.8a-7  
Candidate: 0.8a-7  
Version table:  
\*\*\* 0.8a-7 500  
500 https://mirrors.tuna.tsinghua.edu.cn/ubuntu xenial/universe amd64 Packages  
500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages  
100 /var/lib/dpkg/status

ProblemType: Bug  
DistroRelease: Ubuntu 16.04  
Package: oggvideotools 0.8a-7  
ProcVersionSignature: Ubuntu 4.15.0-66.75~16.04.1-generic 4.15.18  
Uname: Linux 4.15.0-66-generic x86\_64  
ApportVersion: 2.20.1-0ubuntu2.21  
Architecture: amd64  
CurrentDesktop: Unity  
Date: Thu Nov 14 19:56:47 2019  
InstallationDate: Installed on 2019-01-24 (293 days ago)  
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)  
SourcePackage: oggvideotools  
UpgradeStatus: No upgrade log present (probably fresh install)

**1 Attachments**

CVE-2020-21724: Ogg Video Tools / Bugs

A Segmentation Fault issue discovered StreamSerializer::extractStreams function in streamSerializer.cpp in oggvideotools 0.9.1 allows remote attackers to cause a denial of service (crash) via opening of crafted ogg file.

Tested in Ubuntu 16.04, 64bit

The tesecase is put in the attachment and the oggvideotools vision is 0.9.1

I use the following command:

./oggLength oggLength\_SEGV

and get:

I use **valgrind** to analysis the bug and get the below information:

\==7902\== Memcheck, a memory error detector
\==7902\== Copyright (C) 2002\-2015, and GNU GPL'd, by Julian Seward et al.
\==7902\== Using Valgrind\-3.11.0 and LibVEX; rerun with -h for copyright info
\==7902\== Command: /home/wws/Music/Fuzz/target\_progs/target\_oggvideotools/install/bin/oggLength /home/wws/Music/Fuzz/cmp/fuzz\_out\_oggvideotools\_oggLength/crashes/id:000025,sig:11,src:000146,op:flip1,pos:5
\==7902\== 
\==7902\== Invalid read of size 8
\==7902\==    at 0x41F650: StreamSerializer::extractStreams() (streamSerializer.cpp:163)
\==7902\==    by 0x4261A2: StreamSerializer::open(std::\_\_cxx11::basic\_string<char, std::char\_traits<char\>, std::allocator<char\> \>&) (streamSerializer.cpp:75)
\==7902\==    by 0x40F6A3: oggLengthCmd(int, char\*\*) (oggLength.cpp:86)
\==7902\==    by 0x40E412: main (oggLength.cpp:136)
\==7902\==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
\==7902\== 
\==7902\== 
\==7902\== Process terminating with default action of signal 11 (SIGSEGV)
\==7902\==  Access not within mapped region at address 0x0
\==7902\==    at 0x41F650: StreamSerializer::extractStreams() (streamSerializer.cpp:163)
\==7902\==    by 0x4261A2: StreamSerializer::open(std::\_\_cxx11::basic\_string<char, std::char\_traits<char\>, std::allocator<char\> \>&) (streamSerializer.cpp:75)
\==7902\==    by 0x40F6A3: oggLengthCmd(int, char\*\*) (oggLength.cpp:86)
\==7902\==    by 0x40E412: main (oggLength.cpp:136)
\==7902\==  If you believe this happened as a result of a stack
\==7902\==  overflow in your program's main thread (unlikely but
\==7902\==  possible), you can try to increase the size of the
\==7902\==  main thread stack using the \--main\-stacksize\= flag.
\==7902\==  The main thread stack size used in this run was 8388608.
\==7902\== 
\==7902\== HEAP SUMMARY:
\==7902\==     in use at exit: 157,974 bytes in 18 blocks
\==7902\==   total heap usage: 22 allocs, 4 frees, 162,629 bytes allocated
\==7902\== 
\==7902\== LEAK SUMMARY:
\==7902\==    definitely lost: 0 bytes in 0 blocks
\==7902\==    indirectly lost: 0 bytes in 0 blocks
\==7902\==      possibly lost: 0 bytes in 0 blocks
\==7902\==    still reachable: 157,974 bytes in 18 blocks
\==7902\==         suppressed: 0 bytes in 0 blocks
\==7902\== Rerun with \--leak\-check\=full to see details of leaked memory
\==7902\== 
\==7902\== For counts of detected and suppressed errors, rerun with: \-v
\==7902\== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

I use **AddressSanitizer** to build oggvideotools, this file can cause SEGV signal in function StreamSerializer::extractStreams() with the following command:

./oggLength oggLength\_SEGV

This is the ASAN information:

ASAN:SIGSEGV
\=================================================================
\==7905\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000043e4b9 bp 0x7ffe756519d0 sp 0x7ffe75651720 T0)
    #0 0x43e4b8 in StreamSerializer::extractStreams() oggvideotools\-0.9.1/src/main/streamSerializer.cpp:163
    #1 0x43da8f in StreamSerializer::open(std::\_\_cxx11::basic\_string<char, std::char\_traits<char\>, std::allocator<char\> \>&) oggvideotools\-0.9.1/src/main/streamSerializer.cpp:75
    #2 0x43b044 in oggLengthCmd(int, char\*\*) oggvideotools\-0.9.1/src/binaries/oggLength.cpp:86
    #3 0x43b4e5 in main oggvideotools\-0.9.1/src/binaries/oggLength.cpp:136
    #4 0x7f6e840b082f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x43aa78 in \_start (target\_oggvideotools/install/bin/oggLength+0x43aa78)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
oggvideotools\-0.9.1/src/main/streamSerializer.cpp:163 StreamSerializer::extractStreams()
\==7905\==ABORTING

CVE-2020-21723: Ogg Video Tools / Bugs

An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date.

CVE-2020-21583: #786804 - hwclock(8) SUID privilege escalation

An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

ash1852 opened this issue

Aug 31, 2022

· 3 comments

**Comments**

Hi, I found a potential null pointer dereference bug in the project source code of hwloc, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the green text represents some additional information to help understanding when the steps occur and the file path can be seen in the blue framed section.

Although the code shown is for version 2.1.0, this potential bug is still present in the current version

setsize \= CPU\_ALLOC\_SIZE(last+1);

plinux\_set \= CPU\_ALLOC(last+1);

CPU\_ZERO\_S(setsize, plinux\_set);

  
would you can help to check if this bug is true?thank you!

Hello  
Yes, there are likely many corner cases like where we don't check allocation return values. Similar issue in hwloc\_linux\_set\_tid\_cpubind(), hwloc\_linux\_find\_kernel\_nr\_cpus() and hwloc\_linux\_get\_tid\_cpubind(), hwloc\_linux\_set\_thread\_cpubind(), hwloc\_linux\_get\_thread\_cpubind().  
The (bad) rational is that other things will go wrong before this one will trigger a crash. Feel free to send a fix :)

 bgoglin changed the title A potential bug of NPD potential NULL glibc-cpuset dereferences in topology-linux.c

Aug 31, 2022

CVE-2022-47022 was assigned to this issue.

I didn't have any involvement in the assignment, posting here for visibility.

Thanks for the reminder, I forgot about this, I am pushing the fix to master and all stable branches.

bgoglin added a commit that referenced this issue

Aug 24, 2023

CVE-2022-47022: potential NULL glibc-cpuset dereferences in topology-linux.c · Issue #544 · open-mpi/hwloc

Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.

**What's the problem (or question)?**

Assertion \`(unsigned)len <= buf->getSize()' failed in file.cpp:275

upx.out: file.cpp:275: virtual int InputFile::readx(MemBuffer\*, int): Assertion \`(unsigned)len <= buf\-\>getSize()' failed.
Program received signal SIGABRT, Aborted.

    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7bcc859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7bcc729 in __assert_fail_base (fmt=0x7ffff7d62588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=<optimized out>) at assert.c:92
    #3  0x00007ffff7bddf36 in __GI___assert_fail (assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=0x5555555f5638 "virtual int InputFile::readx(MemBuffer*, int)") at assert.c:101
    #4  0x000055555558a280 in InputFile::readx(MemBuffer*, int) ()
    #5  0x00005555555c5969 in PackUnix::packExtent(PackUnix::Extent const&, Filter*, OutputFile*, unsigned int, unsigned int) ()
    #6  0x00005555555b4fb2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::pack2(OutputFile*, Filter&) ()
    #7  0x00005555555c4d98 in PackUnix::pack(OutputFile*) ()
    #8  0x00005555555d6028 in Packer::doPack(OutputFile*) ()
    #9  0x00005555555eacd3 in do_one_file(char const*, char*) ()
    #10 0x00005555555eaf8f in do_files(int, int, char**) ()
    #11 0x00005555555973c7 in upx_main(int, char**) ()
    #12 0x000055555557c4e2 in main ()
    #13 0x00007ffff7bce0b3 in __libc_start_main (main=0x55555557c3e0 <main>, argc=2, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
    #14 0x000055555557c5fe in _start ()
    

**What should have happened?**

No crash.

**Do you have an idea for a solution?**

No.

**How can we reproduce the issue?**

1.make  
2../src/upx.out ./poc  
poc.zip

**Please tell us details about your environment.**

*   ./upx.out --version  
    upx 4.0.0-git-5d1347a359bb  
    UCL data compression library 1.03  
    zlib data compression library 1.2.11  
    LZMA SDK version 4.43
*   Host Operating System and version: Ubuntu 20.04 focal
*   Host CPU architecture: AMD E  
    poc.zip  
    PYC 7742 64-Core @ 16x 2.25GHz
*   Target Operating System and version: Ubuntu 20.04 focal
*   Target CPU architecture: AMD EPYC 7742 64-Core @ 16x 2.25GHz

CVE-2021-46179: Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275 · Issue #545 · upx/upx

Buffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.

Hi, I found a heap-buffer-overflow in WritePCXImage at pcx.c:1255  
I tested it in GraphicsMagick 1.4  
how to reproduce :

ASAN LOG

\==14178\==ERROR: AddressSanitizer: heap\-buffer\-overflow on address 0x6030000000c0 at pc 0x0000028f29c0 bp 0x7ffec5056070 sp 0x7ffec5056068
WRITE of size 1 at 0x6030000000c0 thread T0
    #0 0x28f29bf in WritePCXImage /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1255:17
    #1 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2245:14
    #2 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2404:21
    #3 0x615be6 in ConvertImageCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:6135:11
    #4 0x72e875 in MagickCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:8880:17
    #5 0x810c5c in GMCommandSingle /home/suhwan/project/graphicsmagick\-code/magick/command.c:17412:10
    #6 0x80ba1e in GMCommand /home/suhwan/project/graphicsmagick\-code/magick/command.c:17465:16
    #7 0x7ff6e5aa2b96 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x21b96)
    #8 0x424239 in \_start (/home/suhwan/project/fuzz\-input\-validate/test/bin/gm+0x424239)

0x6030000000c0 is located 0 bytes to the right of 32\-byte region \[0x6030000000a0,0x6030000000c0)
allocated by thread T0 here:
    #0 0x4cc083 in \_\_interceptor\_malloc /tmp/final/llvm.src/projects/compiler\-rt/lib/asan/asan\_malloc\_linux.cc:146:3
    #1 0x28ddf2c in WritePCXImage /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1172:16
    #2 0x8e5c7e in WriteImage /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2245:14
    #3 0x8eac18 in WriteImages /home/suhwan/project/graphicsmagick\-code/magick/constitute.c:2404:21

SUMMARY: AddressSanitizer: heap\-buffer\-overflow /home/suhwan/project/graphicsmagick\-code/coders/pcx.c:1255:17 in WritePCXImage
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa 00 00
\=>0x0c067fff8010: 05 fa fa fa 00 00 00 00\[fa\]fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==14178\==ABORTING

GraphicsMagick 1.4 snapshot-20191225 Q8 http://www.GraphicsMagick.org/  
Copyright (C) 2002-2019 GraphicsMagick Group.  
Additional copyrights and licenses apply to this software.  
See http://www.GraphicsMagick.org/www/Copyright.html for details.

Feature Support:  
Native Thread Safe yes  
Large Files (> 32 bit) yes  
Large Memory (> 32 bit) yes  
BZIP yes  
DPS no  
FlashPix no  
FreeType yes  
Ghostscript (Library) no  
JBIG yes  
JPEG-2000 no  
JPEG yes  
Little CMS yes  
Loadable Modules no  
Solaris mtmalloc no  
OpenMP yes (201107 "3.1")  
PNG yes  
TIFF yes  
TRIO no  
Solaris umem no  
WebP no  
WMF no  
X11 yes  
XML yes  
ZLIB yes

Host type: x86\_64-pc-linux-gnu

CVE-2020-21679: GraphicsMagick / Bugs / #619 heap-buffer-overflow in WritePCXImage

A Use After Free vulnerability in Fedora Linux kernel 5.9.0-rc9 allows attackers to obatin sensitive information via vgacon_invert_region() function.

Submitted by Zhang Xiaoxu on March 4, 2020, 2:24 a.m.

**Details**

**Not browsing as part of any series.**

**Commit Message****Patch hide | download patch | download mbox**

diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index de7b8382aba9..998b0de1812f 100644
\--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -1316,6 +1316,9 @@  static int vgacon\_font\_get(struct vc\_data \*c, struct console\_font \*font)
 static int vgacon\_resize(struct vc\_data \*c, unsigned int width,
 			 unsigned int height, unsigned int user)
 {
+	if ((width << 1) \* height > vga\_vram\_size)
+		return -EINVAL;
+
 	if (width % 2 || width > screen\_info.orig\_video\_cols ||
 	    height > (screen\_info.orig\_video\_lines \* vga\_default\_font\_height)/
 	    c->vc\_font.height)

**Comments**

CVE-2020-27418: [v4] vgacon: Fix a UAF in vgacon_invert_region

p7zip 16.02 was discovered to contain a heap-buffer-overflow vulnerability via the function NArchive::NZip::CInArchive::FindCd(bool) at CPP/7zip/Archive/Zip/ZipIn.cpp.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets ▾
    *   Bugs
    *   Support Requests
    *   Patches
    *   Feature Requests
*   Discussion

Menu ▾ ▴

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2022-12-09

Created: 2022-12-09

Private: No

**Description**

Heap-buffer-overflow in CPP/7zip/Archive/Zip/ZipIn.cpp:1116 in NArchive::NZip::CInArchive::FindCd(bool)

**Verison**

$ ./7za   
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,64 CPUs x64)

**Replay**

./7za t poc.zip

**POC**

https://github.com/17ssDP/fuzzer\_crashes/raw/main/zip/poc.zip

**ASAN**

$./7zatpoc.zip

7-Zip(a)[64]16.02:Copyright(c)1999-2016IgorPavlov:2016-05-21
p7zipVersion16.02(locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64bits,64CPUsx64)

Scanningthedriveforarchives:
1file,4340bytes(5KiB)

Testingarchive:poc.zip
=================================================================
==65213==ERROR:AddressSanitizer:heap-buffer-overflowonaddress0x6210000000ffatpc0x55b8f9dd0731bp0x7ffd13599890sp0x7ffd13599880
READofsize4at0x6210000000ffthreadT0
#00x55b8f9dd0730inNArchive::NZip::CInArchive::FindCd(bool)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116
#10x55b8f9dd5f00inNArchive::NZip::CInArchive::ReadVols()../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1578
#20x55b8f9e01d9binNArchive::NZip::CInArchive::Open(IInStream*,unsignedlonglongconst*,IArchiveOpenCallback*,CObjectVector<NArchive::NZip::CItemEx>&)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:2135
#30x55b8f9d4c294inNArchive::NZip::CHandler::Open(IInStream*,unsignedlonglongconst*,IArchiveOpenCallback*)../../../../CPP/7zip/Archive/Zip/ZipHandler.cpp:474
#40x55b8fa46890binCArc::OpenStream2(COpenOptionsconst&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:1878
#50x55b8fa47fb6ainCArc::OpenStream(COpenOptionsconst&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2901
#60x55b8fa481451inCArc::OpenStreamOrFile(COpenOptions&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:2993
#70x55b8fa48437ainCArchiveLink::Open(COpenOptions&)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3169
#80x55b8fa48ccf5inCArchiveLink::Open2(COpenOptions&,IOpenCallbackUI*)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3292
#90x55b8fa48f2a5inCArchiveLink::Open3(COpenOptions&,IOpenCallbackUI*)../../../../CPP/7zip/UI/Common/OpenArchive.cpp:3356
#100x55b8fa409e7einExtract(CCodecs*,CObjectVector<COpenType>const&,CRecordVector<int>const&,CObjectVector<UString>&,CObjectVector<UString>&,NWildcard::CCensorNodeconst&,CExtractOptionsconst&,IOpenCallbackUI*,IExtractCallbackUI*,IHashCalc*,UString&,CDecompressStat&)../../../../CPP/7zip/UI/Common/Extract.cpp:362
#110x55b8fa5cc0b6inMain2(int,char**)../../../../CPP/7zip/UI/Console/Main.cpp:923
#120x55b8f9819ef8inmain../../../../CPP/7zip/UI/Console/MainAr.cpp:66
#130x7fa675178c86in__libc_start_main(/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#140x55b8f981c069in_start(/home/p7zip/7za+0x41069)

0x6210000000ffislocated1bytestotheleftof4340-byteregion[0x621000000100,0x6210000011f4)
allocated by thread T0 here:
    #0 0x7fa675e6c608 in operator new[](unsignedlong)(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
#10x55b8f9dce590inCObjArray<unsignedchar>::CObjArray(unsignedlong)../../../../CPP/7zip/Archive/Zip/../../../Common/MyBuffer.h:141
#20x55b8f9dce590inNArchive::NZip::CInArchive::FindCd(bool)../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1066

SUMMARY:AddressSanitizer:heap-buffer-overflow../../../../CPP/7zip/Archive/Zip/ZipIn.cpp:1116inNArchive::NZip::CInArchive::FindCd(bool)
Shadowbytesaroundthebuggyaddress:
0x0c427fff7fc0:00000000000000000000000000000000
0x0c427fff7fd0:00000000000000000000000000000000
0x0c427fff7fe0:00000000000000000000000000000000
0x0c427fff7ff0:00000000000000000000000000000000
0x0c427fff8000:fafafafafafafafafafafafafafafafa
=>0x0c427fff8010:fafafafafafafafafafafafafafafa[fa]
0x0c427fff8020:00000000000000000000000000000000
0x0c427fff8030:00000000000000000000000000000000
0x0c427fff8040:00000000000000000000000000000000
0x0c427fff8050:00000000000000000000000000000000
0x0c427fff8060:00000000000000000000000000000000
Shadowbytelegend(oneshadowbyterepresents8applicationbytes):
Addressable:00
Partiallyaddressable:01020304050607
Heapleftredzone:fa
Freedheapregion:fd
Stackleftredzone:f1
Stackmidredzone:f2
Stackrightredzone:f3
Stackafterreturn:f5
Stackuseafterscope:f8
Globalredzone:f9
Globalinitorder:f6
Poisonedbyuser:f7
Containeroverflow:fc
Arraycookie:ac
Intraobjectredzone:bb
ASaninternal:fe
Leftallocaredzone:ca
Rightallocaredzone:cb
==65213==ABORTING

**Environment**

**1 Attachments**

**Discussion**

Log in to post a comment.

CVE-2022-47069: p7zip / Bugs / #241 Heap-buffer-overflow in ZipIn.cpp:1116

An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.

**Spice-Security-Issues**

I found a security issue on spice Server when I was fuzzing Spice server.

**Introduce**

A handshake is required before the spice-server and spice-client can establish communication, spice-client will send a request containing some information that the server needs. This TCP request requires only host and port. So I constructed a malformed TCP packet that caused the vm to crash and the QEMu-KVM process to be restarted.

**How to run**

#1. Send a malformed TCP packet(Observe the packets intercepted by Wirshark)  #2. check qemu-kvm process && kvm instance state

Before sending a malformed TCP packet  
  After sending a malformed TCP packet  

#3. Check libvirt's log that the virtual machine crashed  #4. Observe the virtual machine through virt-manage, found that the virtual machine has been restarted 

**Vulnerability Code**

Code Address: https://gitlab.freedesktop.org/spice/spice/-/blob/master/server/red-stream.cpp  
Function：async\_read\_handler Description: The function async\_READ\_handler caused a deadlock while processing the data stream. 

**Related component version**

Centos: Linux version 3.10.0-957.10.2.el7.x86\_64  
Qemu-kvm: QEMU emulator version 2.10.0(qemu-kvm-ev-2.10.0-21.el7\_5.7.1)  
Spice-server rpm: spice-server-0.14.0-6.el7\_6.1.x86\_64

Tag

#linux