Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 17 Jun 2016 15:35:19 -0400 (EDT)
Subject: Re: Many invalid memory access issues in libarchive

Hash: SHA256


> libarchive version 3.2.0 (released on April 30th) fixed a large number
> of memory access bugs that I reported to them a while ago.

> Unclear invalid memory read in CPIO parser

>> hit end-of-file when trying to read a cpio header

Use CVE-2015-8915.

> Null pointer access in RAR parser

Use CVE-2015-8916.

There is not a second ID for the "it assumes this is a multivolume
archive" discussion in the

> Null pointer access in CAB parser

>> The real problem though is that the filename in the cabinet is set to
>> 0x97. This single character is not a valid utf8 character and
>> therefore the conversion fails.

Use CVE-2015-8917.

> Overlapping memcpy in CAB parser

Use CVE-2015-8918.

> Heap out of bounds read in LHA/LZH parser

Use CVE-2015-8919.

> Stack out of bounds read in ar parser

Use CVE-2015-8920.

> Global out of bounds read in mtree parser

Use CVE-2015-8921.

> Null pointer access in 7z parser

Use CVE-2015-8922.

> Unclear crashes in ZIP parser

>> Issue here was reading a size field as a signed number
>> and then using that as an offset.

Use CVE-2015-8923.

> Heap out of bounds read in TAR parser

Use CVE-2015-8924.

> Unclear invalid memory read in mtree parser

>> Fix escaped newline parsing

Use CVE-2015-8925.

> Null pointer access in RAR parser

Use CVE-2015-8926.

> Heap out of bounds read when reading password for malformed ZIP

Use CVE-2015-8927.

> Heap out of bounds read in mtree parser

Use CVE-2015-8928.

> I also reported a couple of lower severity issues (leaks, hangs,
> undefined behavior issues):

> Memory leak in TAR parser

Use CVE-2015-8929.

> Endless loop in ISO parser

Use CVE-2015-8930.

> Undefined behavior / signed integer overflow in mtree parser

>> We run on a lot of platforms that don't use glibc

Use CVE-2015-8931.

> Use after free in test suite

This does not have a CVE ID. The vendor response was "Looks like this
is just a bug in the test. The test runs a set of checks twice but
doesn't correctly reset in between." The code change is in the
libarchive/test/test_archive_read_add_passphrase.c file.

> Undefined behavior / invalid shiftleft in TAR parser

Use CVE-2015-8932.

> Undefined behavior / signed integer overflow in TAR parser

Use CVE-2015-8933.

> Unfortunately one out of bounds heap read bug in the RAR parser (sample
> file) remained unfixed. I hope a fix will find its way into the next
> version.


Use CVE-2015-8934.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.