Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 17 Jun 2016 15:35:19 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Many invalid memory access issues in libarchive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html

> libarchive version 3.2.0 (released on April 30th) fixed a large number
> of memory access bugs that I reported to them a while ago.

> https://github.com/libarchive/libarchive/issues/503
> Unclear invalid memory read in CPIO parser

>> hit end-of-file when trying to read a cpio header

Use CVE-2015-8915.


> https://github.com/libarchive/libarchive/issues/504
> Null pointer access in RAR parser

Use CVE-2015-8916.

There is not a second ID for the "it assumes this is a multivolume
archive" discussion in the
https://github.com/libarchive/libarchive/issues/504#issuecomment-198683221
comment.


> https://github.com/libarchive/libarchive/issues/505
> Null pointer access in CAB parser

>> The real problem though is that the filename in the cabinet is set to
>> 0x97. This single character is not a valid utf8 character and
>> therefore the conversion fails.

Use CVE-2015-8917.


> https://github.com/libarchive/libarchive/issues/506
> Overlapping memcpy in CAB parser

Use CVE-2015-8918.


> https://github.com/libarchive/libarchive/issues/510
> Heap out of bounds read in LHA/LZH parser

Use CVE-2015-8919.


> https://github.com/libarchive/libarchive/issues/511
> Stack out of bounds read in ar parser

Use CVE-2015-8920.


> https://github.com/libarchive/libarchive/issues/512
> Global out of bounds read in mtree parser

Use CVE-2015-8921.


> https://github.com/libarchive/libarchive/issues/513
> Null pointer access in 7z parser

Use CVE-2015-8922.


> https://github.com/libarchive/libarchive/issues/514
> Unclear crashes in ZIP parser

>> Issue here was reading a size field as a signed number
>> and then using that as an offset.

Use CVE-2015-8923.


> https://github.com/libarchive/libarchive/issues/515
> Heap out of bounds read in TAR parser

Use CVE-2015-8924.


> https://github.com/libarchive/libarchive/issues/516
> Unclear invalid memory read in mtree parser

>> Fix escaped newline parsing

Use CVE-2015-8925.


> https://github.com/libarchive/libarchive/issues/518
> Null pointer access in RAR parser

Use CVE-2015-8926.


> https://github.com/libarchive/libarchive/issues/523
> Heap out of bounds read when reading password for malformed ZIP

Use CVE-2015-8927.


> https://github.com/libarchive/libarchive/issues/550
> Heap out of bounds read in mtree parser

Use CVE-2015-8928.


> I also reported a couple of lower severity issues (leaks, hangs,
> undefined behavior issues):

> https://github.com/libarchive/libarchive/issues/517
> Memory leak in TAR parser

Use CVE-2015-8929.


> https://github.com/libarchive/libarchive/issues/522
> Endless loop in ISO parser

Use CVE-2015-8930.


> https://github.com/libarchive/libarchive/issues/539
> Undefined behavior / signed integer overflow in mtree parser

>> We run on a lot of platforms that don't use glibc

Use CVE-2015-8931.


> https://github.com/libarchive/libarchive/issues/540
> Use after free in test suite

This does not have a CVE ID. The vendor response was "Looks like this
is just a bug in the test. The test runs a set of checks twice but
doesn't correctly reset in between." The code change is in the
libarchive/test/test_archive_read_add_passphrase.c file.


> https://github.com/libarchive/libarchive/issues/547
> Undefined behavior / invalid shiftleft in TAR parser

Use CVE-2015-8932.


> https://github.com/libarchive/libarchive/issues/548
> Undefined behavior / signed integer overflow in TAR parser

Use CVE-2015-8933.


> Unfortunately one out of bounds heap read bug in the RAR parser (sample
> file) remained unfixed. I hope a fix will find its way into the next
> version.

> https://github.com/libarchive/libarchive/issues/521

Use CVE-2015-8934.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXZFBlAAoJEHb/MwWLVhi2IvcQAJLbWv3xlaskqSfuSLpe58Q8
fitvzzYGjb3vz/A6HFkIoPImxyokCMCljw0IQbeRLamFuwhaDnswDpLE2kdspX90
8z7lnmoZvK29d0bmlPlOSrkHHwBM7d0J5AtxL+VdNCZ+l+75e1oKUQNxd5Vkugll
3KQzmBr2ZO9bRhlrTfviY/D5T+dH0H/PnjO5kL2FaSPQylam2CRRWv2O6N8BWDCY
qOibiC4Tz269lawxcM1mxJIvFVuXaomKGaXp1+F91cuUfV1/t7aUAMlSjUc3ASL4
6rkWAy8WDlk24ZKG7mLv8t5V+fcDxLNNJLryWuRB8IqcBgFRuac3QPtvm2dw4j2Q
7ioHgjCISvfmh08a341SIG1vMdBfq+lCgp3IGom3mjSf38I/x0dcxCIXAd3ZMSVr
ApguzBuW6mTW8Xr/Eiqa8QyJ9HbvZS/Io5Qp/ki3O0LAKrHf2cLyzd/M1aNZFBK+
AmPlK39wuxDGDNZPIBV0v5eVvAq3ljE8XhdrGN8wxq5+UAeUDsaIOksWRFWXmji2
iEHhReLq3Z3zCEIoo9UADeOwrh36Ucq7P+EgmTd3YmX1H21tT2cIuRCdj095rzJV
dVTMARdB7vs60X5kXj1dVl5GLEaVa2wZ7AP34AutJI8WNbn86eL0Tcw/vRvv2Jxl
TCeZY1uY1URj4l8tvMpU
=TTkk
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.