Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Jun 2016 14:51:46 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Many invalid memory access issues in libarchive

https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html

libarchive version 3.2.0 (released on April 30th) fixed a large number
of memory access bugs that I reported to them a while ago.

https://github.com/libarchive/libarchive/issues/503
Unclear invalid memory read in CPIO parser
http://libarchive.github.io/google-code/issue-395/comment-0/crash.cpio
Sample file

https://github.com/libarchive/libarchive/issues/504
Null pointer access in RAR parser
http://libarchive.github.io/google-code/issue-396/comment-0/crash.rar
Sample file

https://github.com/libarchive/libarchive/issues/505
Null pointer access in CAB parser
http://libarchive.github.io/google-code/issue-397/comment-0/segf.cab
Sample file

https://github.com/libarchive/libarchive/issues/506
Overlapping memcpy in CAB parser
http://libarchive.github.io/google-code/issue-398/comment-0/memcpy.cab
Sample file

https://github.com/libarchive/libarchive/issues/510
Heap out of bounds read in LHA/LZH parser
http://libarchive.github.io/google-code/issue-402/comment-0/bsdtar-invalid-read.lzh
Sample file

https://github.com/libarchive/libarchive/issues/511
Stack out of bounds read in ar parser
http://libarchive.github.io/google-code/issue-403/comment-0/bsdtar-invalid-read-stack.a
Sample file

https://github.com/libarchive/libarchive/issues/512
Global out of bounds read in mtree parser
http://libarchive.github.io/google-code/issue-404/comment-0/invalid-read-overflow.mtree
Sample file

https://github.com/libarchive/libarchive/issues/513
Null pointe access in 7z parser
http://libarchive.github.io/google-code/issue-405/comment-0/bsdtar-null-ptr.7z
Sample file

https://github.com/libarchive/libarchive/issues/514
Unclear crashes in ZIP parser
http://libarchive.github.io/google-code/issue-406/comment-0/bsdtar-zip-crash-variant1.zip
Sample file

https://github.com/libarchive/libarchive/issues/515
Heap out of bounds read in TAR parser
http://libarchive.github.io/google-code/issue-407/comment-0/tar-heap-overflow.tar
Sample file

https://github.com/libarchive/libarchive/issues/516
Unclear invalid memory read in mtree parser
http://libarchive.github.io/google-code/issue-408/comment-0/read_mtree.mtree
Sample file

https://github.com/libarchive/libarchive/issues/518
Null pointer access in RAR parser
http://libarchive.github.io/google-code/issue-410/comment-0/segfault.rar
Sample file

https://github.com/libarchive/libarchive/issues/523
Heap out of bounds heap read read when reading password for malformed
ZIP
http://libarchive.github.io/google-code/issue-415/comment-0/pwcrash.zip
Sample file

https://github.com/libarchive/libarchive/issues/550
Heap out of bounds read in mtree parser
https://crashes.fuzzing-project.org/libarchive-oob-process_add_entry.mtree
Sample file

I also reported a couple of lower severity issues (leaks, hangs,
undefined behavior issues):

https://github.com/libarchive/libarchive/issues/517
Memory leak in TAR parser

https://github.com/libarchive/libarchive/issues/522
Endless loop in ISO parser
http://libarchive.github.io/google-code/issue-414/comment-0/hang.iso
Sample file

https://github.com/libarchive/libarchive/issues/539
Undefined behavior / signed integer overflow in mtree parser

https://github.com/libarchive/libarchive/issues/540
Use after free in test suite

https://github.com/libarchive/libarchive/issues/547
Undefined behavior / invalid shiftleft in TAR parser
https://crashes.fuzzing-project.org/libarchive-undefined-shiftleft
Sample file

https://github.com/libarchive/libarchive/issues/548
Undefined behavior / signed integer overflow in TAR parser
https://crashes.fuzzing-project.org/libarchive-undefined-signed-overflow.tar
Sample file

Unfortunately one out of bounds heap read bug in the RAR parser (sample
file) remained unfixed. I hope a fix will find its way into the next
version. I was interested in making libarchive more robust because once
all issues are fixed it can serve as a safer alternative to many low
quality command line tools for various archiving formats.
https://github.com/libarchive/libarchive/issues/521
http://libarchive.github.io/google-code/issue-413/comment-0/bsdtar-invalid-read.rar


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.