Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Jun 2016 14:51:46 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Many invalid memory access issues in libarchive

https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html

libarchive version 3.2.0 (released on April 30th) fixed a large number
of memory access bugs that I reported to them a while ago.

https://github.com/libarchive/libarchive/issues/503
Unclear invalid memory read in CPIO parser
http://libarchive.github.io/google-code/issue-395/comment-0/crash.cpio
Sample file

https://github.com/libarchive/libarchive/issues/504
Null pointer access in RAR parser
http://libarchive.github.io/google-code/issue-396/comment-0/crash.rar
Sample file

https://github.com/libarchive/libarchive/issues/505
Null pointer access in CAB parser
http://libarchive.github.io/google-code/issue-397/comment-0/segf.cab
Sample file

https://github.com/libarchive/libarchive/issues/506
Overlapping memcpy in CAB parser
http://libarchive.github.io/google-code/issue-398/comment-0/memcpy.cab
Sample file

https://github.com/libarchive/libarchive/issues/510
Heap out of bounds read in LHA/LZH parser
http://libarchive.github.io/google-code/issue-402/comment-0/bsdtar-invalid-read.lzh
Sample file

https://github.com/libarchive/libarchive/issues/511
Stack out of bounds read in ar parser
http://libarchive.github.io/google-code/issue-403/comment-0/bsdtar-invalid-read-stack.a
Sample file

https://github.com/libarchive/libarchive/issues/512
Global out of bounds read in mtree parser
http://libarchive.github.io/google-code/issue-404/comment-0/invalid-read-overflow.mtree
Sample file

https://github.com/libarchive/libarchive/issues/513
Null pointe access in 7z parser
http://libarchive.github.io/google-code/issue-405/comment-0/bsdtar-null-ptr.7z
Sample file

https://github.com/libarchive/libarchive/issues/514
Unclear crashes in ZIP parser
http://libarchive.github.io/google-code/issue-406/comment-0/bsdtar-zip-crash-variant1.zip
Sample file

https://github.com/libarchive/libarchive/issues/515
Heap out of bounds read in TAR parser
http://libarchive.github.io/google-code/issue-407/comment-0/tar-heap-overflow.tar
Sample file

https://github.com/libarchive/libarchive/issues/516
Unclear invalid memory read in mtree parser
http://libarchive.github.io/google-code/issue-408/comment-0/read_mtree.mtree
Sample file

https://github.com/libarchive/libarchive/issues/518
Null pointer access in RAR parser
http://libarchive.github.io/google-code/issue-410/comment-0/segfault.rar
Sample file

https://github.com/libarchive/libarchive/issues/523
Heap out of bounds heap read read when reading password for malformed
ZIP
http://libarchive.github.io/google-code/issue-415/comment-0/pwcrash.zip
Sample file

https://github.com/libarchive/libarchive/issues/550
Heap out of bounds read in mtree parser
https://crashes.fuzzing-project.org/libarchive-oob-process_add_entry.mtree
Sample file

I also reported a couple of lower severity issues (leaks, hangs,
undefined behavior issues):

https://github.com/libarchive/libarchive/issues/517
Memory leak in TAR parser

https://github.com/libarchive/libarchive/issues/522
Endless loop in ISO parser
http://libarchive.github.io/google-code/issue-414/comment-0/hang.iso
Sample file

https://github.com/libarchive/libarchive/issues/539
Undefined behavior / signed integer overflow in mtree parser

https://github.com/libarchive/libarchive/issues/540
Use after free in test suite

https://github.com/libarchive/libarchive/issues/547
Undefined behavior / invalid shiftleft in TAR parser
https://crashes.fuzzing-project.org/libarchive-undefined-shiftleft
Sample file

https://github.com/libarchive/libarchive/issues/548
Undefined behavior / signed integer overflow in TAR parser
https://crashes.fuzzing-project.org/libarchive-undefined-signed-overflow.tar
Sample file

Unfortunately one out of bounds heap read bug in the RAR parser (sample
file) remained unfixed. I hope a fix will find its way into the next
version. I was interested in making libarchive more robust because once
all issues are fixed it can serve as a safer alternative to many low
quality command line tools for various archiving formats.
https://github.com/libarchive/libarchive/issues/521
http://libarchive.github.io/google-code/issue-413/comment-0/bsdtar-invalid-read.rar


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ