libarchive: CVE-2017-14503: out-of-bounds read in lha_read_data_none()

Debian Bug report logs - #875960
libarchive: CVE-2017-14503: out-of-bounds read in lha_read_data_none()

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>

To: submit@bugs.debian.org

Subject: libarchive13: out-of-bounds read in lha_read_data_none()

Date: Sat, 16 Sep 2017 16:54:39 +0200

[Message part 1 (text/plain, inline)]

Package: libarchive13
Version: 3.2.2-3.1

bsdtar crashes on the attached LHA file:

  $ bsdtar -xOf oob.lha
  Segmentation fault

Valgrind says it's an out-of-bounds read when computing CRC:

  Invalid read of size 2
     at 0x4894AA6: lha_crc16.part.6 (archive_read_support_format_lha.c:1739)
     by 0x4897727: lha_crc16 (archive_read_support_format_lha.c:1701)
     by 0x4897727: lha_read_data_none (archive_read_support_format_lha.c:1429)
     by 0x4897727: archive_read_format_lha_read_data (archive_read_support_format_lha.c:1390)
     by 0x4875B8C: archive_read_data_into_fd (archive_read_data_into_fd.c:101)
     by 0x10D5BB: read_archive (read.c:369)
     by 0x10DCAC: tar_mode_x (read.c:112)
     by 0x10C2BB: main (bsdtar.c:809)
   Address 0x6ca56ce is 6 bytes after a block of size 65,536 alloc'd
     at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
     by 0x487ABEC: file_open (archive_read_open_filename.c:358)
     by 0x4874DE9: archive_read_open1 (archive_read.c:479)
     by 0x487B0F6: archive_read_open_filenames (archive_read_open_filename.c:152)
     by 0x487B18C: archive_read_open_filename (archive_read_open_filename.c:109)
     by 0x10D321: read_archive (read.c:223)
     by 0x10DCAC: tar_mode_x (read.c:112)
     by 0x10C2BB: main (bsdtar.c:809)

  Process terminating with default action of signal 11 (SIGSEGV)
   Access not within mapped region at address 0x73B4000
     at 0x4894ABC: lha_crc16.part.6 (archive_read_support_format_lha.c:1740)
     by 0x4897727: lha_crc16 (archive_read_support_format_lha.c:1701)
     by 0x4897727: lha_read_data_none (archive_read_support_format_lha.c:1429)
     by 0x4897727: archive_read_format_lha_read_data (archive_read_support_format_lha.c:1390)
     by 0x4875B8C: archive_read_data_into_fd (archive_read_data_into_fd.c:101)
     by 0x10D5BB: read_archive (read.c:369)
     by 0x10DCAC: tar_mode_x (read.c:112)
     by 0x10C2BB: main (bsdtar.c:809)

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages libarchive13 depends on:
ii  libacl1     2.2.52-3+b1
ii  libbz2-1.0  1.0.6-8.1
ii  libc6       2.24-17
ii  liblz4-1    0.0~r131-2+b1
ii  liblzma5    5.2.2-1.3
ii  liblzo2-2   2.08-1.2+b2
ii  libnettle6  3.3-2
ii  libxml2     2.9.4+dfsg1-4
ii  zlib1g      1:1.2.8.dfsg-5

-- 
Jakub Wilk

[oob.lha (application/x-lha, attachment)]

Message #24 received at 875960-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 875960-close@bugs.debian.org

Subject: Bug#875960: fixed in libarchive 3.2.2-4.1

Date: Wed, 25 Jul 2018 19:50:14 +0000

Source: libarchive
Source-Version: 3.2.2-4.1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 875960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 25 Jul 2018 21:29:42 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-4.1
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 875960 875974
Description: 
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.2.2-4.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Reject LHA archive entries with negative size (CVE-2017-14503)
     (Closes: #875960)
   * Avoid a read off-by-one error for UTF16 names in RAR archives
     (CVE-2017-14502)
     (Closes: #875974)
Checksums-Sha1: 
 ddc385b8c84c699cf97a604ac99b2139303a2dca 2490 libarchive_3.2.2-4.1.dsc
 8a9e579048d0f04f85ee0b51fb6d139da2aa043e 17564 libarchive_3.2.2-4.1.debian.tar.xz
Checksums-Sha256: 
 01dcf95baf5eda7f2aeb0f99d52f92a03718506903fa908d738646fa60897cfa 2490 libarchive_3.2.2-4.1.dsc
 dcb64e96a2b794fd03919099fb3d9807f77013d620039c9ab8ffb9998d114c48 17564 libarchive_3.2.2-4.1.debian.tar.xz
Files: 
 abaa2e81da50adaf4b8ed10e3db54794 2490 libs optional libarchive_3.2.2-4.1.dsc
 5c24d5a83c8c36d783865b634f76802b 17564 libs optional libarchive_3.2.2-4.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltY0eJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENvkP/3VViHRDKocQIsgJnDkD1ncwMCN8idCM
UVo04DSQY7HdHc8fe7RmV0owMDspN4ZHlRTO9PawDSIPdusq1+Xm8RyPIt2eeCS7
/X7pwalgrwOyhe9WFOrHI0TLp02qivap8hwHFpWmuCpjzKb+7uaqD5lhBk2VjyH+
EbS792lltjnoXm1qFuLmHoRiHNPLJTc5vaJBmx/HiBHsJarEuXKZjdlhsA2o6s7i
hit7Su11ERgH2ZloyVnqmxzH851VaiN9rm6iDbwWiWwj7IwxWLz1EjBU0oe321yR
TtrD3o9LITdDYnkcgGZmUWlsnHraaGloU9lptV6bZoWyexMKci+0Z14m5e9LpNDF
baSYoXXZlahphHGFbYqFtQ3v33cvCCK1CqA7Ggx/v7u/NgetH8+81UvUXwXbR13L
vbiRI6yYJykQNgz2DSMu8B7NlclxQrzTIMU+YkY0KyxIY1UPX7kZvyocgNSHqiWA
7FfItXUDQIh0uKeIHIrqG/3cSPIksY1ZiSabNIalt17DPu8TwG/HE530iGgrwyVW
BYXarYcIsk/LgzX2ndZVvVTumE7kF+gqX4IgOuIzHcfbTl6Yz3Zujp9YrF+fKp0A
pAOWydsWCEOJzZ2IDxkO4HvTcXVmu6cFD6b/uvVFkuPwnianQHa6oZyZpsv6g8JI
rfa7h67G2H5X
=W8Ld
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.