Date: Thu, 23 Jun 2016 15:58:47 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Out of bounds read and signed integer overflow in libarchive https://blog.fuzzing-project.org/48-Out-of-bounds-read-and-signed-integer-overflow-in-libarchive.html https://groups.google.com/forum/#!topic/libarchive-discuss/sui01WaM3ic I recently wrote about a large number of bugs and potential security issues in libarchive. The release 3.2.0 missed one fix for an out of bounds read in the rar parser. Also I discovered one additional signed integer overflow issue with ubsan. Both issues are now fixed in libarchive 3.2.1. All issues were discovered with the help of american fuzzy lop. https://github.com/libarchive/libarchive/issues/521 Out of bounds heap read in RAR parser http://libarchive.github.io/google-code/issue-413/comment-0/bsdtar-invalid-read.rar Sample rar file https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934 CVE-2015-8934 https://github.com/libarchive/libarchive/issues/717#event-697151157 Signed integer overflow in ISO parser https://github.com/libarchive/libarchive/files/321672/libarchive-signed-int-overflow.zip Sample ISO file http://blog.talosintel.com/2016/06/the-poisoned-archives.html Also a couple of other security issues in libarchive were found by Cisco. With the release of version 3.2.1 I consider libarchive to be reasonably robust against fuzzing. I've tested all supported file formats and fuzzed each one with afl/asan for at least one day. Of course that doesn't mean that no security issues are left - but the easy to find ones should be wiped out. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.