Out of bounds read and signed integer overflow in libarchive

[Hanno Böck <hanno () hboeck de>]

https://blog.fuzzing-project.org/48-Out-of-bounds-read-and-signed-integer-overflow-in-libarchive.html

https://groups.google.com/forum/#!topic/libarchive-discuss/sui01WaM3ic
I recently wrote about a large number of bugs and potential security
issues in libarchive. The release 3.2.0 missed one fix for an out of
bounds read in the rar parser. Also I discovered one additional signed
integer overflow issue with ubsan. Both issues are now fixed in
libarchive 3.2.1. All issues were discovered with the help of american
fuzzy lop.

https://github.com/libarchive/libarchive/issues/521
Out of bounds heap read in RAR parser
http://libarchive.github.io/google-code/issue-413/comment-0/bsdtar-invalid-read.rar
Sample rar file
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934
CVE-2015-8934

https://github.com/libarchive/libarchive/issues/717#event-697151157
Signed integer overflow in ISO parser
https://github.com/libarchive/libarchive/files/321672/libarchive-signed-int-overflow.zip
Sample ISO file

http://blog.talosintel.com/2016/06/the-poisoned-archives.html
Also a couple of other security issues in libarchive were found by
Cisco.

With the release of version 3.2.1 I consider libarchive to be
reasonably robust against fuzzing. I've tested all supported file
formats and fuzzed each one with afl/asan for at least one day. Of
course that doesn't mean that no security issues are left - but the
easy to find ones should be wiped out.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature