Source: lrzip Severity: important Tags: security upstream Forwarded: https://github.com/ckolivas/lrzip/issues/71
Hi, the following vulnerability was published for lrzip. CVE-2017-8846[0]: | The read_stream function in stream.c in liblrzip.so in lrzip 0.631 | allows remote attackers to cause a denial of service (use-after-free | and application crash) via a crafted archive. I'm not 100% certain I can confirm the issue on lrzip. There looks there is definitively a possible issue, but I was not able to follow the full code, to confirm. Thus filling for this one just a but with the respective upstream reference. We might need to wait for the upstream patch to confirm. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8846 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8846 [1] https://github.com/ckolivas/lrzip/issues/71 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
