CVE-2022-28044: 
Linux Debian vulnerability analysis and mitigation

Irzip v0.640 was discovered to contain a heap memory corruption vulnerability (CVE-2022-28044) via the component lrzip.c:initialise_control. The vulnerability was identified and reported on February 24, 2022, by security researcher Pietro Borrello (GitHub Issue).

The vulnerability stems from improper memory management in the suffix field of the static rzip_control structure. The field was initialized to point to global memory in initialize_control but was later treated as heap-allocated memory during deallocation, leading to heap corruption. This occurred specifically when freeing the rzip_control variable and when setting a new suffix (GitHub Issue).

The heap memory corruption could potentially result in an exploitable vulnerability, particularly when initialized with optarg pointing to global RW memory. This could lead to system instability or potentially allow for arbitrary code execution (GitHub Issue).

The vulnerability was fixed by properly initializing control->suffix using the return value of strdup for the strings. This fix was implemented in version 0.650 of lrzip. Various distributions also released patched versions: Debian 9 (Stretch) fixed it in version 0.631-1+deb9u3, Debian 10 (Buster) in version 0.631+git180528-1+deb10u1, and Debian 11 (Bullseye) in version 0.641-1+deb11u1 (Debian Security, Debian LTS).