oss-sec mailing list archives
Out of bounds read and signed integer overflow in libarchive
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 23 Jun 2016 15:58:47 +0200
https://blog.fuzzing-project.org/48-Out-of-bounds-read-and-signed-integer-overflow-in-libarchive.html https://groups.google.com/forum/#!topic/libarchive-discuss/sui01WaM3ic I recently wrote about a large number of bugs and potential security issues in libarchive. The release 3.2.0 missed one fix for an out of bounds read in the rar parser. Also I discovered one additional signed integer overflow issue with ubsan. Both issues are now fixed in libarchive 3.2.1. All issues were discovered with the help of american fuzzy lop. https://github.com/libarchive/libarchive/issues/521 Out of bounds heap read in RAR parser http://libarchive.github.io/google-code/issue-413/comment-0/bsdtar-invalid-read.rar Sample rar file https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934 CVE-2015-8934 https://github.com/libarchive/libarchive/issues/717#event-697151157 Signed integer overflow in ISO parser https://github.com/libarchive/libarchive/files/321672/libarchive-signed-int-overflow.zip Sample ISO file http://blog.talosintel.com/2016/06/the-poisoned-archives.html Also a couple of other security issues in libarchive were found by Cisco. With the release of version 3.2.1 I consider libarchive to be reasonably robust against fuzzing. I've tested all supported file formats and fuzzed each one with afl/asan for at least one day. Of course that doesn't mean that no security issues are left - but the easy to find ones should be wiped out. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Out of bounds read and signed integer overflow in libarchive Hanno Böck (Jun 23)
- Re: Out of bounds read and signed integer overflow in libarchive cve-assign (Jun 24)