oss-sec mailing list archives
Re: Libarchive/bsdtar: multiple crashes
From: Gulshan Singh <gsingh2011 () gmail com>
Date: Fri, 16 Sep 2016 02:15:59 +0000
I dug into https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c/, which I had reported here earlier (thanks for the mention): https://github.com/libarchive/libarchive/issues/747 After digging into the bug, it seemed it wasn't exploitable, and could only lead to a crash, so I decided to not send it out to the list and request a CVE. On Thu, Sep 15, 2016 at 8:54 AM Agostino Sarubbo <ago () gentoo org> wrote:
Hello all. I'd like to make people aware of the following crashes in libarchive/bsdtar found by fuzzing (all issues are public on github): The most dangerous, an out of bounds stack write (which is also fixed upstream): https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c/ The following are buffer over read of 1 (all are unfixed upstream ATM): https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-detect_form-archive_read_support_format_mtree-c/ https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-read_header-archive_read_support_format_7zip-c/ https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c/ https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c/ As stated in the posts, the two latest bug could be the same, but I didn't have an upstream response about, so I posted both stacktrace to better track the issues. The following are use-after-free (all are unfixed upstream ATM): https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-bid_entry-archive_read_support_format_mtree-c/ https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-detect_form-archive_read_support_format_mtree-c/ As stated in the posts, they could be the same. I didn't have an upstream response too for those. Agostino
Current thread:
- Libarchive/bsdtar: multiple crashes Agostino Sarubbo (Sep 15)
- Re: Libarchive/bsdtar: multiple crashes Gulshan Singh (Sep 15)
- Re: Libarchive/bsdtar: multiple crashes Agostino Sarubbo (Sep 19)