[Bug 10436] New: LZMA decompression crash

bugzilla at busybox.net bugzilla at busybox.net
Sun Oct 22 13:17:20 UTC 2017


            Bug ID: 10436
           Summary: LZMA decompression crash
           Product: Busybox
           Version: 1.27.x
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Other
          Assignee: unassigned at busybox.net
          Reporter: ariel at twistlock.com
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 7306
  --> https://bugs.busybox.net/attachment.cgi?id=7306&action=edit
Crash file

I found a vulnerability in the unlzma code
(archival/libarchive/decompress_unlzma.c line 455) while fuzzing the unzip
applet. The crash is a read access violation.

Attached is one of the crash files and the fuzzer info. Tested with 1.27.2.

You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list