Many invalid memory access issues in libarchive
libarchive version 3.2.0 (released on April 30th) fixed a large number of memory access bugs that I reported to them a while ago. All issues (except the test suite failure) were found with the help of american fuzzy lop and either address sanitizer or undefined behavior sanitizer.
Unclear invalid memory read in CPIO parser
Sample file
CVE-2015-8915
Null pointer access in RAR parser
Sample file
CVE-2015-8916
Null pointer access in CAB parser
Sample file
CVE-2015-8917
Overlapping memcpy in CAB parser
Sample file
CVE-2015-8918
Heap out of bounds read in LHA/LZH parser
Sample file
CVE-2015-8919
Stack out of bounds read in ar parser
Sample file
CVE-2015-8920
Global out of bounds read in mtree parser
Sample file
CVE-2015-8921
Null pointe access in 7z parser
Sample file
CVE-2015-8922
Unclear crashes in ZIP parser
Sample file
CVE-2015-8923
Heap out of bounds read in TAR parser
Sample file
CVE-2015-8924
Unclear invalid memory read in mtree parser
Sample file
CVE-2015-8925
Null pointer access in RAR parser
Sample file
CVE-2015-8926
Heap out of bounds heap read read when reading password for malformed ZIP
Sample file
CVE-2015-8927
Heap out of bounds read in mtree parser
Sample file
CVE-2015-89208
I also reported a couple of lower severity issues (leaks, hangs, undefined behavior issues):
Memory leak in TAR parser
CVE-2015-8929
Endless loop in ISO parser
Sample file
CVE-2015-8930
Undefined behavior / signed integer overflow in mtree parser
CVE-2015-8931
Use after free in test suite
Undefined behavior / invalid shiftleft in TAR parser
Sample file
CVE-2015-8932
Undefined behavior / signed integer overflow in TAR parser
Sample file
CVE-2015-8933
Unfortunately one out of bounds heap read bug in the RAR parser (CVE-2015-8934, sample file) remained unfixed. I hope a fix will find its way into the next version. I was interested in making libarchive more robust because once all issues are fixed it can serve as a safer alternative to many low quality command line tools for various archiving formats.
Unclear invalid memory read in CPIO parser
Sample file
CVE-2015-8915
Null pointer access in RAR parser
Sample file
CVE-2015-8916
Null pointer access in CAB parser
Sample file
CVE-2015-8917
Overlapping memcpy in CAB parser
Sample file
CVE-2015-8918
Heap out of bounds read in LHA/LZH parser
Sample file
CVE-2015-8919
Stack out of bounds read in ar parser
Sample file
CVE-2015-8920
Global out of bounds read in mtree parser
Sample file
CVE-2015-8921
Null pointe access in 7z parser
Sample file
CVE-2015-8922
Unclear crashes in ZIP parser
Sample file
CVE-2015-8923
Heap out of bounds read in TAR parser
Sample file
CVE-2015-8924
Unclear invalid memory read in mtree parser
Sample file
CVE-2015-8925
Null pointer access in RAR parser
Sample file
CVE-2015-8926
Heap out of bounds heap read read when reading password for malformed ZIP
Sample file
CVE-2015-8927
Heap out of bounds read in mtree parser
Sample file
CVE-2015-89208
I also reported a couple of lower severity issues (leaks, hangs, undefined behavior issues):
Memory leak in TAR parser
CVE-2015-8929
Endless loop in ISO parser
Sample file
CVE-2015-8930
Undefined behavior / signed integer overflow in mtree parser
CVE-2015-8931
Use after free in test suite
Undefined behavior / invalid shiftleft in TAR parser
Sample file
CVE-2015-8932
Undefined behavior / signed integer overflow in TAR parser
Sample file
CVE-2015-8933
Unfortunately one out of bounds heap read bug in the RAR parser (CVE-2015-8934, sample file) remained unfixed. I hope a fix will find its way into the next version. I was interested in making libarchive more robust because once all issues are fixed it can serve as a safer alternative to many low quality command line tools for various archiving formats.
Trackbacks
The Fuzzing Project on : Out of bounds read and signed integer overflow in libarchive
Show preview
I recently wrote about a large number of bugs and potential security issues in libarchive. The release 3.2.0 missed one fix for an out of bounds read in the rar parser. Also I discovered one additional signed integer overflow issue with ubsan. Both issues
Comments
Display comments as Linear | Threaded