CVE-2021-27347: 
Linux Debian vulnerability analysis and mitigation

Use after free vulnerability (CVE-2021-27347) was discovered in the lzmadecompressbuf function in stream.c in Irzip 0.631. The vulnerability was disclosed on June 10, 2021, affecting the Long Range ZIP (lrzip) compression program. This security flaw impacts multiple Linux distributions including Debian and Ubuntu (NVD, Debian Security).

The vulnerability is classified as a Use-After-Free (CWE-416) issue that occurs during multithread processing in stream.c. The issue stems from unchecked buffer access during multithread stream reading. The CVSS v3.1 base score is 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD, GitHub Issue).

When exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted compressed file. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (Debian LTS, NVD).

The vulnerability has been fixed in subsequent releases. Debian has released version 0.631-1+deb9u2 for Debian 9 (Stretch), Ubuntu has released fixes for multiple versions including Ubuntu 20.04 (version 0.631+git180528-1+deb10u1build0.20.04.1) and Ubuntu 18.04 (version 0.631-1+deb9u3build0.18.04.1). Users are recommended to upgrade their lrzip packages to the latest version (Debian LTS, Ubuntu Security).