Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Jun 2016 15:58:47 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Out of bounds read and signed integer overflow in libarchive

https://blog.fuzzing-project.org/48-Out-of-bounds-read-and-signed-integer-overflow-in-libarchive.html

https://groups.google.com/forum/#!topic/libarchive-discuss/sui01WaM3ic
I recently wrote about a large number of bugs and potential security
issues in libarchive. The release 3.2.0 missed one fix for an out of
bounds read in the rar parser. Also I discovered one additional signed
integer overflow issue with ubsan. Both issues are now fixed in
libarchive 3.2.1. All issues were discovered with the help of american
fuzzy lop.

https://github.com/libarchive/libarchive/issues/521
Out of bounds heap read in RAR parser
http://libarchive.github.io/google-code/issue-413/comment-0/bsdtar-invalid-read.rar
Sample rar file
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934
CVE-2015-8934

https://github.com/libarchive/libarchive/issues/717#event-697151157
Signed integer overflow in ISO parser
https://github.com/libarchive/libarchive/files/321672/libarchive-signed-int-overflow.zip
Sample ISO file

http://blog.talosintel.com/2016/06/the-poisoned-archives.html
Also a couple of other security issues in libarchive were found by
Cisco.

With the release of version 3.2.1 I consider libarchive to be
reasonably robust against fuzzing. I've tested all supported file
formats and fuzzed each one with afl/asan for at least one day. Of
course that doesn't mean that no security issues are left - but the
easy to find ones should be wiped out.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ