libarchive: CVE-2017-14502: out-of-bounds read in archive_read_format_rar_read_header()

Debian Bug report logs - #875974
libarchive: CVE-2017-14502: out-of-bounds read in archive_read_format_rar_read_header()

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@jwilk.net>

To: submit@bugs.debian.org

Subject: libarchive13: out-of-bounds read in archive_read_format_rar_read_header()

Date: Sat, 16 Sep 2017 20:02:42 +0200

[Message part 1 (text/plain, inline)]

Package: libarchive13
Version: 3.2.2-3.1

$ valgrind --quiet -- bsdtar -xf oob.rar
==1880== Invalid read of size 1
==1880==    at 0x4832FF0: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1880==    by 0x489B5E0: memcpy (string3.h:53)
==1880==    by 0x489B5E0: read_header (archive_read_support_format_rar.c:1577)
==1880==    by 0x489C347: archive_read_format_rar_read_header (archive_read_support_format_rar.c:932)
==1880==    by 0x4873A54: _archive_read_next_header2 (archive_read.c:649)
==1880==    by 0x4873B5B: _archive_read_next_header (archive_read.c:687)
==1880==    by 0x10D384: read_archive (read.c:261)
==1880==    by 0x10DCAC: tar_mode_x (read.c:112)
==1880==    by 0x10C2BB: main (bsdtar.c:809)
==1880==  Address 0x6ca726a is 0 bytes after a block of size 98 alloc'd
==1880==    at 0x482E1FC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1880==    by 0x4830520: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1880==    by 0x489B451: read_header (archive_read_support_format_rar.c:1423)
==1880==    by 0x489C347: archive_read_format_rar_read_header (archive_read_support_format_rar.c:932)
==1880==    by 0x4873A54: _archive_read_next_header2 (archive_read.c:649)
==1880==    by 0x4873B5B: _archive_read_next_header (archive_read.c:687)
==1880==    by 0x10D384: read_archive (read.c:261)
==1880==    by 0x10DCAC: tar_mode_x (read.c:112)
==1880==    by 0x10C2BB: main (bsdtar.c:809)
==1880==
bsdtar: Unknown file attributes from RAR file's host OS
bsdtar: Error exit delayed from previous errors.


Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Architecture: i386

Versions of packages libarchive13 depends on:
ii  libacl1     2.2.52-3+b1
ii  libbz2-1.0  1.0.6-8.1
ii  libc6       2.24-17
ii  liblz4-1    0.0~r131-2+b1
ii  liblzma5    5.2.2-1.3
ii  liblzo2-2   2.08-1.2+b2
ii  libnettle6  3.3-2
ii  libxml2     2.9.4+dfsg1-4
ii  zlib1g      1:1.2.8.dfsg-5

-- 
Jakub Wilk

[oob.rar (application/rar, attachment)]

Message #14 received at 875974@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jakub Wilk <jwilk@jwilk.net>, 875974@bugs.debian.org

Subject: Re: Bug#875974: libarchive13: out-of-bounds read in archive_read_format_rar_read_header()

Date: Sat, 16 Sep 2017 21:35:31 +0200

Hi

This should be fixed upstream with

https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6

Regards,
Salvatore

Message #21 received at 875974@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 875974@bugs.debian.org

Cc: Jakub Wilk <jwilk@jwilk.net>

Subject: Re: Bug#875974: libarchive13: out-of-bounds read in archive_read_format_rar_read_header()

Date: Sat, 16 Sep 2017 21:44:45 +0200

Hi

On Sat, Sep 16, 2017 at 09:35:31PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> This should be fixed upstream with
> 
> https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6

Additional reference, the mentioned OSS-Fuzz issue is

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573

Regards,
Salvatore

Message #36 received at 875974-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 875974-close@bugs.debian.org

Subject: Bug#875974: fixed in libarchive 3.2.2-4.1

Date: Wed, 25 Jul 2018 19:50:14 +0000

Source: libarchive
Source-Version: 3.2.2-4.1

We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 875974@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 25 Jul 2018 21:29:42 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.2-4.1
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@ringlet.net>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 875960 875974
Description: 
 bsdcpio    - transitional dummy package for moving bsdcpio to libarchive-tools
 bsdtar     - transitional dummy package for moving bsdtar to libarchive-tools
 libarchive-dev - Multi-format archive and compression library (development files)
 libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too
 libarchive13 - Multi-format archive and compression library (shared library)
Changes:
 libarchive (3.2.2-4.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Reject LHA archive entries with negative size (CVE-2017-14503)
     (Closes: #875960)
   * Avoid a read off-by-one error for UTF16 names in RAR archives
     (CVE-2017-14502)
     (Closes: #875974)
Checksums-Sha1: 
 ddc385b8c84c699cf97a604ac99b2139303a2dca 2490 libarchive_3.2.2-4.1.dsc
 8a9e579048d0f04f85ee0b51fb6d139da2aa043e 17564 libarchive_3.2.2-4.1.debian.tar.xz
Checksums-Sha256: 
 01dcf95baf5eda7f2aeb0f99d52f92a03718506903fa908d738646fa60897cfa 2490 libarchive_3.2.2-4.1.dsc
 dcb64e96a2b794fd03919099fb3d9807f77013d620039c9ab8ffb9998d114c48 17564 libarchive_3.2.2-4.1.debian.tar.xz
Files: 
 abaa2e81da50adaf4b8ed10e3db54794 2490 libs optional libarchive_3.2.2-4.1.dsc
 5c24d5a83c8c36d783865b634f76802b 17564 libs optional libarchive_3.2.2-4.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltY0eJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENvkP/3VViHRDKocQIsgJnDkD1ncwMCN8idCM
UVo04DSQY7HdHc8fe7RmV0owMDspN4ZHlRTO9PawDSIPdusq1+Xm8RyPIt2eeCS7
/X7pwalgrwOyhe9WFOrHI0TLp02qivap8hwHFpWmuCpjzKb+7uaqD5lhBk2VjyH+
EbS792lltjnoXm1qFuLmHoRiHNPLJTc5vaJBmx/HiBHsJarEuXKZjdlhsA2o6s7i
hit7Su11ERgH2ZloyVnqmxzH851VaiN9rm6iDbwWiWwj7IwxWLz1EjBU0oe321yR
TtrD3o9LITdDYnkcgGZmUWlsnHraaGloU9lptV6bZoWyexMKci+0Z14m5e9LpNDF
baSYoXXZlahphHGFbYqFtQ3v33cvCCK1CqA7Ggx/v7u/NgetH8+81UvUXwXbR13L
vbiRI6yYJykQNgz2DSMu8B7NlclxQrzTIMU+YkY0KyxIY1UPX7kZvyocgNSHqiWA
7FfItXUDQIh0uKeIHIrqG/3cSPIksY1ZiSabNIalt17DPu8TwG/HE530iGgrwyVW
BYXarYcIsk/LgzX2ndZVvVTumE7kF+gqX4IgOuIzHcfbTl6Yz3Zujp9YrF+fKp0A
pAOWydsWCEOJzZ2IDxkO4HvTcXVmu6cFD6b/uvVFkuPwnianQHa6oZyZpsv6g8JI
rfa7h67G2H5X
=W8Ld
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.