oss-sec mailing list archives
Re: Many invalid memory access issues in libarchive
From: cve-assign () mitre org
Date: Fri, 17 Jun 2016 15:35:19 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html
libarchive version 3.2.0 (released on April 30th) fixed a large number of memory access bugs that I reported to them a while ago.
https://github.com/libarchive/libarchive/issues/503 Unclear invalid memory read in CPIO parser
hit end-of-file when trying to read a cpio header
Use CVE-2015-8915.
https://github.com/libarchive/libarchive/issues/504 Null pointer access in RAR parser
Use CVE-2015-8916. There is not a second ID for the "it assumes this is a multivolume archive" discussion in the https://github.com/libarchive/libarchive/issues/504#issuecomment-198683221 comment.
https://github.com/libarchive/libarchive/issues/505 Null pointer access in CAB parser
The real problem though is that the filename in the cabinet is set to 0x97. This single character is not a valid utf8 character and therefore the conversion fails.
Use CVE-2015-8917.
https://github.com/libarchive/libarchive/issues/506 Overlapping memcpy in CAB parser
Use CVE-2015-8918.
https://github.com/libarchive/libarchive/issues/510 Heap out of bounds read in LHA/LZH parser
Use CVE-2015-8919.
https://github.com/libarchive/libarchive/issues/511 Stack out of bounds read in ar parser
Use CVE-2015-8920.
https://github.com/libarchive/libarchive/issues/512 Global out of bounds read in mtree parser
Use CVE-2015-8921.
https://github.com/libarchive/libarchive/issues/513 Null pointer access in 7z parser
Use CVE-2015-8922.
https://github.com/libarchive/libarchive/issues/514 Unclear crashes in ZIP parser
Issue here was reading a size field as a signed number and then using that as an offset.
Use CVE-2015-8923.
https://github.com/libarchive/libarchive/issues/515 Heap out of bounds read in TAR parser
Use CVE-2015-8924.
https://github.com/libarchive/libarchive/issues/516 Unclear invalid memory read in mtree parser
Fix escaped newline parsing
Use CVE-2015-8925.
https://github.com/libarchive/libarchive/issues/518 Null pointer access in RAR parser
Use CVE-2015-8926.
https://github.com/libarchive/libarchive/issues/523 Heap out of bounds read when reading password for malformed ZIP
Use CVE-2015-8927.
https://github.com/libarchive/libarchive/issues/550 Heap out of bounds read in mtree parser
Use CVE-2015-8928.
I also reported a couple of lower severity issues (leaks, hangs, undefined behavior issues):
https://github.com/libarchive/libarchive/issues/517 Memory leak in TAR parser
Use CVE-2015-8929.
https://github.com/libarchive/libarchive/issues/522 Endless loop in ISO parser
Use CVE-2015-8930.
https://github.com/libarchive/libarchive/issues/539 Undefined behavior / signed integer overflow in mtree parser
We run on a lot of platforms that don't use glibc
Use CVE-2015-8931.
https://github.com/libarchive/libarchive/issues/540 Use after free in test suite
This does not have a CVE ID. The vendor response was "Looks like this is just a bug in the test. The test runs a set of checks twice but doesn't correctly reset in between." The code change is in the libarchive/test/test_archive_read_add_passphrase.c file.
https://github.com/libarchive/libarchive/issues/547 Undefined behavior / invalid shiftleft in TAR parser
Use CVE-2015-8932.
https://github.com/libarchive/libarchive/issues/548 Undefined behavior / signed integer overflow in TAR parser
Use CVE-2015-8933.
Unfortunately one out of bounds heap read bug in the RAR parser (sample file) remained unfixed. I hope a fix will find its way into the next version.
https://github.com/libarchive/libarchive/issues/521
Use CVE-2015-8934. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXZFBlAAoJEHb/MwWLVhi2IvcQAJLbWv3xlaskqSfuSLpe58Q8 fitvzzYGjb3vz/A6HFkIoPImxyokCMCljw0IQbeRLamFuwhaDnswDpLE2kdspX90 8z7lnmoZvK29d0bmlPlOSrkHHwBM7d0J5AtxL+VdNCZ+l+75e1oKUQNxd5Vkugll 3KQzmBr2ZO9bRhlrTfviY/D5T+dH0H/PnjO5kL2FaSPQylam2CRRWv2O6N8BWDCY qOibiC4Tz269lawxcM1mxJIvFVuXaomKGaXp1+F91cuUfV1/t7aUAMlSjUc3ASL4 6rkWAy8WDlk24ZKG7mLv8t5V+fcDxLNNJLryWuRB8IqcBgFRuac3QPtvm2dw4j2Q 7ioHgjCISvfmh08a341SIG1vMdBfq+lCgp3IGom3mjSf38I/x0dcxCIXAd3ZMSVr ApguzBuW6mTW8Xr/Eiqa8QyJ9HbvZS/Io5Qp/ki3O0LAKrHf2cLyzd/M1aNZFBK+ AmPlK39wuxDGDNZPIBV0v5eVvAq3ljE8XhdrGN8wxq5+UAeUDsaIOksWRFWXmji2 iEHhReLq3Z3zCEIoo9UADeOwrh36Ucq7P+EgmTd3YmX1H21tT2cIuRCdj095rzJV dVTMARdB7vs60X5kXj1dVl5GLEaVa2wZ7AP34AutJI8WNbn86eL0Tcw/vRvv2Jxl TCeZY1uY1URj4l8tvMpU =TTkk -----END PGP SIGNATURE-----
Current thread:
- Many invalid memory access issues in libarchive Hanno Böck (Jun 17)
- Re: Many invalid memory access issues in libarchive cve-assign (Jun 17)