10431 – (CVE-2017-15873) Bzip2 decompression crashes

Bug 10431 (CVE-2017-15873) - Bzip2 decompression crashes

Summary: Bzip2 decompression crashes

Status:	RESOLVED FIXED

Alias:	CVE-2017-15873

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.27.x
Hardware:	All Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-22 10:49 UTC by Ariel Zelivansky
Modified:	2017-10-25 07:36 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Crash 1 (4.81 KB, application/x-bzip) 2017-10-22 10:49 UTC, Ariel Zelivansky	Details
Crash 2 (4.81 KB, application/x-bzip) 2017-10-22 10:50 UTC, Ariel Zelivansky	Details
afl readme (625 bytes, text/plain) 2017-10-22 10:51 UTC, Ariel Zelivansky	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ariel Zelivansky 2017-10-22 10:49:54 UTC

Created attachment 7291 [details]
Crash 1

Hi,

While fuzzing busybox I found a vulnerability in the bzip2 decompression code (archival/libarchive/decompress_bunzip2.c line 513). This is likely a write access violation, I did not try to exploit this so I don't know how bad it is. Leads to a crash at least.

Attached are two crash files and the fuzzer info. I tested these on the current git master and with versions 1.17.2 and 1.16.0.

Please let me know if this is the right place to report possibly security related issues

Comment 1 Ariel Zelivansky 2017-10-22 10:50:37 UTC

Created attachment 7296 [details]
Crash 2

Comment 2 Ariel Zelivansky 2017-10-22 10:51:32 UTC

Created attachment 7301 [details]
afl readme

Comment 3 Denys Vlasenko 2017-10-22 16:25:22 UTC

Fixed in git, thanks!