REDHAT-BUG-2452945: Buffer Overflow
On 32-bit systems, an integer overflow in the zisofs block pointer allocation logic (archivereadsupportformatiso9660.c, line 1537) wraps the allocation size to zero. malloc(0) returns a ~16-byte buffer, but the code records the un-wrapped size (~4 GB) and proceeds to memcpy() attacker-controlled ISO data into the tiny buffer - a heap buffer overflow WRITE. On 64-bit systems the overflow doesn't wrap and malloc fails safely. Shares root cause with vulnerability #2 (unvalidated pzlog2bs).Requirements to exploit: The target must be a 32-bit system processing a crafted ISO9660 image via libarchive. The attacker needs to deliver the ISO to an application that extracts or reads its contents. Exploitation to RCE would require heap grooming specific to the target allocator/platform.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2452945?
The severity of REDHAT-BUG-2452945 is critical due to the potential for remote code execution resulting from the integer overflow vulnerability.
How do I fix REDHAT-BUG-2452945?
To fix REDHAT-BUG-2452945, you should update the libarchive package to the latest patched version provided by Red Hat.
What systems are affected by REDHAT-BUG-2452945?
REDHAT-BUG-2452945 affects 32-bit systems using libarchive for handling ISO9660 formatted archives.
What vulnerabilities are introduced by REDHAT-BUG-2452945?
The vulnerability introduced by REDHAT-BUG-2452945 allows for potential remote code execution due to improper memory allocation.
Is there a workaround for REDHAT-BUG-2452945?
Currently, the recommended approach for mitigating REDHAT-BUG-2452945 is to completely avoid using libarchive for processing untrusted ISO9660 files until a patch is applied.