Date: Mon, 19 Sep 2016 12:59:40 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: Re: Libarchive/bsdtar: multiple crashes On Thursday 15 September 2016 17:52:52 Agostino Sarubbo wrote: > Hello all. > > I'd like to make people aware of the following crashes in libarchive/bsdtar > found by fuzzing (all issues are public on github): > > The most dangerous, an out of bounds stack write (which is also fixed > upstream): > https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-stack-based-buffer > -overflow-in-bsdtar_expand_char-util-c/ > > > The following are buffer over read of 1 (all are unfixed upstream ATM): > > https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-> overflow-in-detect_form-archive_read_support_format_mtree-c/ > https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer > -overflow-in-read_header-archive_read_support_format_7zip-c/ > https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-memory-corruption > unknown-crash-in-bid_entry-archive_read_support_format_mtree-c/ > https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer > -overflow-in-bid_entry-archive_read_support_format_mtree-c/ > > As stated in the posts, the two latest bug could be the same, but I didn't > have an upstream response about, so I posted both stacktrace to better > track the issues. > > > The following are use-after-free (all are unfixed upstream ATM): > https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-> bid_entry-archive_read_support_format_mtree-c/ > https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in > -detect_form-archive_read_support_format_mtree-c/ > > As stated in the posts, they could be the same. > I didn't have an upstream response too for those. All issues mentioned in the previous posts, are now fixed in git. I updated all posts with the git commit. -- Agostino
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ