Skip to content

Many invalid memory access issues in libarchive

libarchive version 3.2.0 (released on April 30th) fixed a large number of memory access bugs that I reported to them a while ago. All issues (except the test suite failure) were found with the help of american fuzzy lop and either address sanitizer or undefined behavior sanitizer.

Unclear invalid memory read in CPIO parser
Sample file
CVE-2015-8915

Null pointer access in RAR parser
Sample file
CVE-2015-8916

Null pointer access in CAB parser
Sample file
CVE-2015-8917

Overlapping memcpy in CAB parser
Sample file
CVE-2015-8918

Heap out of bounds read in LHA/LZH parser
Sample file
CVE-2015-8919

Stack out of bounds read in ar parser
Sample file
CVE-2015-8920

Global out of bounds read in mtree parser
Sample file
CVE-2015-8921

Null pointe access in 7z parser
Sample file
CVE-2015-8922

Unclear crashes in ZIP parser
Sample file
CVE-2015-8923

Heap out of bounds read in TAR parser
Sample file
CVE-2015-8924

Unclear invalid memory read in mtree parser
Sample file
CVE-2015-8925

Null pointer access in RAR parser
Sample file
CVE-2015-8926

Heap out of bounds heap read read when reading password for malformed ZIP
Sample file
CVE-2015-8927

Heap out of bounds read in mtree parser
Sample file
CVE-2015-89208

I also reported a couple of lower severity issues (leaks, hangs, undefined behavior issues):

Memory leak in TAR parser
CVE-2015-8929

Endless loop in ISO parser
Sample file
CVE-2015-8930

Undefined behavior / signed integer overflow in mtree parser
CVE-2015-8931

Use after free in test suite

Undefined behavior / invalid shiftleft in TAR parser
Sample file
CVE-2015-8932

Undefined behavior / signed integer overflow in TAR parser
Sample file
CVE-2015-8933

Unfortunately one out of bounds heap read bug in the RAR parser (CVE-2015-8934, sample file) remained unfixed. I hope a fix will find its way into the next version. I was interested in making libarchive more robust because once all issues are fixed it can serve as a safer alternative to many low quality command line tools for various archiving formats.

Trackbacks

The Fuzzing Project on : Out of bounds read and signed integer overflow in libarchive

Show preview
I recently wrote about a large number of bugs and potential security issues in libarchive. The release 3.2.0 missed one fix for an out of bounds read in the rar parser. Also I discovered one additional signed integer overflow issue with ubsan. Both issues

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options