Date: Thu, 23 Jun 2016 15:58:47 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Out of bounds read and signed integer overflow in libarchive https://blog.fuzzing-project.org/48-Out-of-bounds-read-and-signed-integer-overflow-in-libarchive.html https://groups.google.com/forum/#!topic/libarchive-discuss/sui01WaM3ic I recently wrote about a large number of bugs and potential security issues in libarchive. The release 3.2.0 missed one fix for an out of bounds read in the rar parser. Also I discovered one additional signed integer overflow issue with ubsan. Both issues are now fixed in libarchive 3.2.1. All issues were discovered with the help of american fuzzy lop. https://github.com/libarchive/libarchive/issues/521 Out of bounds heap read in RAR parser http://libarchive.github.io/google-code/issue-413/comment-0/bsdtar-invalid-read.rar Sample rar file https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934 CVE-2015-8934 https://github.com/libarchive/libarchive/issues/717#event-697151157 Signed integer overflow in ISO parser https://github.com/libarchive/libarchive/files/321672/libarchive-signed-int-overflow.zip Sample ISO file http://blog.talosintel.com/2016/06/the-poisoned-archives.html Also a couple of other security issues in libarchive were found by Cisco. With the release of version 3.2.1 I consider libarchive to be reasonably robust against fuzzing. I've tested all supported file formats and fuzzed each one with afl/asan for at least one day. Of course that doesn't mean that no security issues are left - but the easy to find ones should be wiped out. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ