oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Many invalid memory access issues in libarchive

From: cve-assign () mitre org
Date: Fri, 17 Jun 2016 15:35:19 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html



libarchive version 3.2.0 (released on April 30th) fixed a large number
of memory access bugs that I reported to them a while ago.



https://github.com/libarchive/libarchive/issues/503
Unclear invalid memory read in CPIO parser



hit end-of-file when trying to read a cpio header


Use CVE-2015-8915.



https://github.com/libarchive/libarchive/issues/504
Null pointer access in RAR parser


Use CVE-2015-8916.

There is not a second ID for the "it assumes this is a multivolume
archive" discussion in the
https://github.com/libarchive/libarchive/issues/504#issuecomment-198683221
comment.



https://github.com/libarchive/libarchive/issues/505
Null pointer access in CAB parser



The real problem though is that the filename in the cabinet is set to
0x97. This single character is not a valid utf8 character and
therefore the conversion fails.


Use CVE-2015-8917.



https://github.com/libarchive/libarchive/issues/506
Overlapping memcpy in CAB parser


Use CVE-2015-8918.



https://github.com/libarchive/libarchive/issues/510
Heap out of bounds read in LHA/LZH parser


Use CVE-2015-8919.



https://github.com/libarchive/libarchive/issues/511
Stack out of bounds read in ar parser


Use CVE-2015-8920.



https://github.com/libarchive/libarchive/issues/512
Global out of bounds read in mtree parser


Use CVE-2015-8921.



https://github.com/libarchive/libarchive/issues/513
Null pointer access in 7z parser


Use CVE-2015-8922.



https://github.com/libarchive/libarchive/issues/514
Unclear crashes in ZIP parser



Issue here was reading a size field as a signed number
and then using that as an offset.


Use CVE-2015-8923.



https://github.com/libarchive/libarchive/issues/515
Heap out of bounds read in TAR parser


Use CVE-2015-8924.



https://github.com/libarchive/libarchive/issues/516
Unclear invalid memory read in mtree parser



Fix escaped newline parsing


Use CVE-2015-8925.



https://github.com/libarchive/libarchive/issues/518
Null pointer access in RAR parser


Use CVE-2015-8926.



https://github.com/libarchive/libarchive/issues/523
Heap out of bounds read when reading password for malformed ZIP


Use CVE-2015-8927.



https://github.com/libarchive/libarchive/issues/550
Heap out of bounds read in mtree parser


Use CVE-2015-8928.



I also reported a couple of lower severity issues (leaks, hangs,
undefined behavior issues):



https://github.com/libarchive/libarchive/issues/517
Memory leak in TAR parser


Use CVE-2015-8929.



https://github.com/libarchive/libarchive/issues/522
Endless loop in ISO parser


Use CVE-2015-8930.



https://github.com/libarchive/libarchive/issues/539
Undefined behavior / signed integer overflow in mtree parser



We run on a lot of platforms that don't use glibc


Use CVE-2015-8931.



https://github.com/libarchive/libarchive/issues/540
Use after free in test suite


This does not have a CVE ID. The vendor response was "Looks like this
is just a bug in the test. The test runs a set of checks twice but
doesn't correctly reset in between." The code change is in the
libarchive/test/test_archive_read_add_passphrase.c file.



https://github.com/libarchive/libarchive/issues/547
Undefined behavior / invalid shiftleft in TAR parser


Use CVE-2015-8932.



https://github.com/libarchive/libarchive/issues/548
Undefined behavior / signed integer overflow in TAR parser


Use CVE-2015-8933.



Unfortunately one out of bounds heap read bug in the RAR parser (sample
file) remained unfixed. I hope a fix will find its way into the next
version.



https://github.com/libarchive/libarchive/issues/521


Use CVE-2015-8934.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXZFBlAAoJEHb/MwWLVhi2IvcQAJLbWv3xlaskqSfuSLpe58Q8
fitvzzYGjb3vz/A6HFkIoPImxyokCMCljw0IQbeRLamFuwhaDnswDpLE2kdspX90
8z7lnmoZvK29d0bmlPlOSrkHHwBM7d0J5AtxL+VdNCZ+l+75e1oKUQNxd5Vkugll
3KQzmBr2ZO9bRhlrTfviY/D5T+dH0H/PnjO5kL2FaSPQylam2CRRWv2O6N8BWDCY
qOibiC4Tz269lawxcM1mxJIvFVuXaomKGaXp1+F91cuUfV1/t7aUAMlSjUc3ASL4
6rkWAy8WDlk24ZKG7mLv8t5V+fcDxLNNJLryWuRB8IqcBgFRuac3QPtvm2dw4j2Q
7ioHgjCISvfmh08a341SIG1vMdBfq+lCgp3IGom3mjSf38I/x0dcxCIXAd3ZMSVr
ApguzBuW6mTW8Xr/Eiqa8QyJ9HbvZS/Io5Qp/ki3O0LAKrHf2cLyzd/M1aNZFBK+
AmPlK39wuxDGDNZPIBV0v5eVvAq3ljE8XhdrGN8wxq5+UAeUDsaIOksWRFWXmji2
iEHhReLq3Z3zCEIoo9UADeOwrh36Ucq7P+EgmTd3YmX1H21tT2cIuRCdj095rzJV
dVTMARdB7vs60X5kXj1dVl5GLEaVa2wZ7AP34AutJI8WNbn86eL0Tcw/vRvv2Jxl
TCeZY1uY1URj4l8tvMpU
=TTkk
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: