RHSA-2016:1844

DSA-3657

[oss-security] 20160617 Many invalid memory access issues in libarchive

[oss-security] 20160617 Re: Many invalid memory access issues in libarchive

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

91303

USN-3033-1

https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html

https://github.com/libarchive/libarchive/issues/505

GLSA-201701-03

https://security-tracker.debian.org/tracker/CVE-2015-8917

According to the versions of the libarchive package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in libarchive. A specially     crafted MTREE file could cause a small out-of-bounds     read, potentially disclosing a small amount of     application memory.(CVE-2015-8925)

  - A vulnerability was found in libarchive. An attempt to     create an ISO9660 volume with 2GB or 4GB filenames     could cause the application to crash.(CVE-2016-6250)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application to read     memory beyond the end of the decompression     buffer.(CVE-2015-8934)

  - A vulnerability was found in libarchive's handling of     7zip data. A specially crafted 7zip file can cause a     integer overflow resulting in memory corruption that     can lead to code execution.(CVE-2016-4300)

  - A vulnerability was found in libarchive. A specially     crafted 7Z file could trigger a NULL pointer     dereference, causing the application to     crash.(CVE-2015-8922)

  - Undefined behavior (signed integer overflow) was     discovered in libarchive, in the ISO parser. A crafted     file could potentially cause denial of     service.(CVE-2016-5844)

  - A vulnerability was found in libarchive. A specially     crafted AR archive could cause the application to read     a single byte of application memory, potentially     disclosing it to the attacker.(CVE-2015-8920)

  - A vulnerability was found in libarchive. A specially     crafted mtree file could cause libarchive to read     beyond a statically declared structure, potentially     disclosing application memory.(CVE-2015-8921)

  - A vulnerability was found in libarchive. A specially     crafted LZA/LZH file could cause a small out-of-bounds     read, potentially disclosing a few bytes of application     memory.(CVE-2015-8919)

  - A vulnerability was found in libarchive. A specially     crafted ISO file could cause the application to consume     resources until it hit a memory limit, leading to a     crash or denial of service.(CVE-2015-8930)

  - A vulnerability was found in libarchive. A specially     crafted TAR file could trigger an out-of-bounds read,     potentially causing the application to disclose a small     amount of application memory.(CVE-2015-8924)

  - A vulnerability was found in libarchive. A specially     crafted MTREE file could cause a limited out-of-bounds     read, potentially disclosing contents of application     memory.(CVE-2015-8928)

  - A vulnerability was found in libarchive. A specially     crafted CAB file could cause the application     dereference a NULL pointer, leading to a     crash.(CVE-2015-8917)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application     dereference a NULL pointer, leading to a     crash.(CVE-2015-8916)

  - A vulnerability was found in libarchive's handling of     RAR archives. A specially crafted RAR file can cause a     heap overflow, potentially leading to code execution in     the context of the application.(CVE-2016-4302)

  - Undefined behavior (invalid left shift) was discovered     in libarchive, in how Compress streams are identified.
    This could cause certain files to be mistakenly     identified as Compress archives and fail to     read.(CVE-2015-8932)

  - A vulnerability was found in libarchive. A specially     crafted gzip file can cause libarchive to allocate     memory without limit, eventually leading to a     crash.(CVE-2016-7166)

  - Undefined behavior (signed integer overflow) was     discovered in libarchive, in the MTREE parser's     calculation of maximum and minimum dates. A crafted     mtree file could potentially cause denial of     service.(CVE-2015-8931)

  - A flaw was found in the way libarchive handled hardlink     archive entries of non-zero size. Combined with flaws     in libarchive's file system sandboxing, this issue     could cause an application using libarchive to     overwrite arbitrary files with arbitrary data from the     archive.(CVE-2016-5418)

  - Integer signedness error in the archive_write_zip_data     function in archive_write_set_format_zip.c in     libarchive 3.1.2 and earlier, when running on 64-bit     machines, allows context-dependent attackers to cause a     denial of service (crash) via unspecified vectors,     which triggers an improper conversion between unsigned     and signed types, leading to a buffer     overflow.(CVE-2013-0211)

  - A vulnerability was found in libarchive. A specially     crafted zip file can provide an incorrect compressed     size, which may allow an attacker to place arbitrary     code on the heap and execute it in the context of the     application.(CVE-2016-1541)

  - A vulnerability was found in libarchive. A specially     crafted cpio archive containing a symbolic link to a     ridiculously large target path can cause memory     allocation to fail, resulting in any attempt to view or     extract the archive crashing.(CVE-2016-4809)

  - A vulnerability was found in libarchive. A specially     crafted ZIP file could cause a few bytes of application     memory in a 256-byte region to be     disclosed.(CVE-2015-8923)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application to     disclose a 128k block of memory from an uncontrolled     location.(CVE-2015-8926)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libarchive package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way libarchive handled hardlink     archive entries of non-zero size. Combined with flaws     in libarchive's file system sandboxing, this issue     could cause an application using libarchive to     overwrite arbitrary files with arbitrary data from the     archive. (CVE-2016-5418)

  - Multiple out-of-bounds write flaws were found in     libarchive.

  - Specially crafted ZIP, 7ZIP, or RAR files could cause a     heap overflow, potentially allowing code execution in     the context of the application using libarchive.
    (CVE-2016-1541, CVE-2016-4300, CVE-2016-4302)

  - Multiple out-of-bounds read flaws were found in     libarchive.

  - Specially crafted LZA/LZH, AR, MTREE, ZIP, TAR, or RAR     files could cause the application to read data out of     bounds, potentially disclosing a small amount of     application memory, or causing an application crash.
    (CVE-2015-8919, CVE-2015-8920, CVE-2015-8921,     CVE-2015-8923, CVE-2015-8924, CVE-2015-8925,     CVE-2015-8926, CVE-2015-8928, CVE-2015-8934)

  - Multiple NULL pointer dereference flaws were found in     libarchive.

  - Specially crafted RAR, CAB, or 7ZIP files could cause     an application using libarchive to crash.
    (CVE-2015-8916, CVE-2015-8917, CVE-2015-8922)

  - Multiple infinite loop / resource exhaustion flaws were     found in libarchive. Specially crafted GZIP or ISO     files could cause the application to consume an     excessive amount of resources, eventually leading to a     crash on memory exhaustion. (CVE-2016-7166,     CVE-2015-8930)

  - A denial of service vulnerability was found in     libarchive. A specially crafted CPIO archive containing     a symbolic link to a large target path could cause     memory allocation to fail, causing an application using     libarchive that attempted to view or extract such     archive to crash. (CVE-2016-4809)

  - An integer overflow flaw, leading to a buffer overflow,     was found in libarchive's construction of ISO9660     volumes. Attempting to create an ISO9660 volume with 2     GB or 4 GB file names could cause the application to     attempt to allocate 20 GB of memory. If this were to     succeed, it could lead to an out of bounds write on the     heap and potential code execution. (CVE-2016-6250)

  - Multiple instances of undefined behavior due to     arithmetic overflow were found in libarchive. Specially     crafted MTREE archives, Compress streams, or ISO9660     volumes could potentially cause the application to fail     to read the archive, or to crash. (CVE-2015-8931,     CVE-2015-8932, CVE-2016-5844)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201701-03 (libarchive: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libarchive. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted       archive file possibly resulting in the execution of arbitrary code with       the privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. (CVE-2016-5418)

Multiple out-of-bounds write flaws were found in libarchive. Specially crafted ZIP, 7ZIP, or RAR files could cause a heap overflow, potentially allowing code execution in the context of the application using libarchive. (CVE-2016-1541 , CVE-2016-4300 , CVE-2016-4302)

Multiple out-of-bounds read flaws were found in libarchive. Specially crafted LZA/LZH, AR, MTREE, ZIP, TAR, or RAR files could cause the application to read data out of bounds, potentially disclosing a small amount of application memory, or causing an application crash.
(CVE-2015-8919 , CVE-2015-8920 , CVE-2015-8921 , CVE-2015-8923 , CVE-2015-8924 , CVE-2015-8925 , CVE-2015-8926 , CVE-2015-8928 , CVE-2015-8934)

Multiple NULL pointer dereference flaws were found in libarchive.
Specially crafted RAR, CAB, or 7ZIP files could cause an application using libarchive to crash. (CVE-2015-8916 , CVE-2015-8917 , CVE-2015-8922)

Multiple infinite loop / resource exhaustion flaws were found in libarchive. Specially crafted GZIP or ISO files could cause the application to consume an excessive amount of resources, eventually leading to a crash on memory exhaustion. (CVE-2016-7166 , CVE-2015-8930)

A denial of service vulnerability was found in libarchive. A specially crafted CPIO archive containing a symbolic link to a large target path could cause memory allocation to fail, causing an application using libarchive that attempted to view or extract such archive to crash.
(CVE-2016-4809)

An integer overflow flaw, leading to a buffer overflow, was found in libarchive's construction of ISO9660 volumes. Attempting to create an ISO9660 volume with 2 GB or 4 GB file names could cause the application to attempt to allocate 20 GB of memory. If this were to succeed, it could lead to an out of bounds write on the heap and potential code execution. (CVE-2016-6250)

Multiple instances of undefined behavior due to arithmetic overflow were found in libarchive. Specially crafted MTREE archives, Compress streams, or ISO9660 volumes could potentially cause the application to fail to read the archive, or to crash. (CVE-2015-8931 , CVE-2015-8932 , CVE-2016-5844)

An update for libarchive is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers.

Security Fix(es) :

* A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. (CVE-2016-5418)

* Multiple out-of-bounds write flaws were found in libarchive.
Specially crafted ZIP, 7ZIP, or RAR files could cause a heap overflow, potentially allowing code execution in the context of the application using libarchive. (CVE-2016-1541, CVE-2016-4300, CVE-2016-4302)

* Multiple out-of-bounds read flaws were found in libarchive.
Specially crafted LZA/LZH, AR, MTREE, ZIP, TAR, or RAR files could cause the application to read data out of bounds, potentially disclosing a small amount of application memory, or causing an application crash. (CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8934)

* Multiple NULL pointer dereference flaws were found in libarchive.
Specially crafted RAR, CAB, or 7ZIP files could cause an application using libarchive to crash. (CVE-2015-8916, CVE-2015-8917, CVE-2015-8922)

* Multiple infinite loop / resource exhaustion flaws were found in libarchive. Specially crafted GZIP or ISO files could cause the application to consume an excessive amount of resources, eventually leading to a crash on memory exhaustion. (CVE-2016-7166, CVE-2015-8930)

* A denial of service vulnerability was found in libarchive. A specially crafted CPIO archive containing a symbolic link to a large target path could cause memory allocation to fail, causing an application using libarchive that attempted to view or extract such archive to crash. (CVE-2016-4809)

* An integer overflow flaw, leading to a buffer overflow, was found in libarchive's construction of ISO9660 volumes. Attempting to create an ISO9660 volume with 2 GB or 4 GB file names could cause the application to attempt to allocate 20 GB of memory. If this were to succeed, it could lead to an out of bounds write on the heap and potential code execution. (CVE-2016-6250)

* Multiple instances of undefined behavior due to arithmetic overflow were found in libarchive. Specially crafted MTREE archives, Compress streams, or ISO9660 volumes could potentially cause the application to fail to read the archive, or to crash. (CVE-2015-8931, CVE-2015-8932, CVE-2016-5844)

Red Hat would like to thank Insomnia Security for reporting CVE-2016-5418.

Security Fix(es) :

  - A flaw was found in the way libarchive handled hardlink     archive entries of non-zero size. Combined with flaws in     libarchive's file system sandboxing, this issue could     cause an application using libarchive to overwrite     arbitrary files with arbitrary data from the archive.
    (CVE-2016-5418)

  - Multiple out-of-bounds write flaws were found in     libarchive. Specially crafted ZIP, 7ZIP, or RAR files     could cause a heap overflow, potentially allowing code     execution in the context of the application using     libarchive. (CVE-2016-1541, CVE-2016-4300,     CVE-2016-4302)

  - Multiple out-of-bounds read flaws were found in     libarchive. Specially crafted LZA/LZH, AR, MTREE, ZIP,     TAR, or RAR files could cause the application to read     data out of bounds, potentially disclosing a small     amount of application memory, or causing an application     crash. (CVE-2015-8919, CVE-2015-8920, CVE-2015-8921,     CVE-2015-8923, CVE-2015-8924, CVE-2015-8925,     CVE-2015-8926, CVE-2015-8928, CVE-2015-8934)

  - Multiple NULL pointer dereference flaws were found in     libarchive. Specially crafted RAR, CAB, or 7ZIP files     could cause an application using libarchive to crash.
    (CVE-2015-8916, CVE-2015-8917, CVE-2015-8922)

  - Multiple infinite loop / resource exhaustion flaws were     found in libarchive. Specially crafted GZIP or ISO files     could cause the application to consume an excessive     amount of resources, eventually leading to a crash on     memory exhaustion. (CVE-2016-7166, CVE-2015-8930)

  - A denial of service vulnerability was found in     libarchive. A specially crafted CPIO archive containing     a symbolic link to a large target path could cause     memory allocation to fail, causing an application using     libarchive that attempted to view or extract such     archive to crash. (CVE-2016-4809)

  - An integer overflow flaw, leading to a buffer overflow,     was found in libarchive's construction of ISO9660     volumes. Attempting to create an ISO9660 volume with 2     GB or 4 GB file names could cause the application to     attempt to allocate 20 GB of memory. If this were to     succeed, it could lead to an out of bounds write on the     heap and potential code execution. (CVE-2016-6250)

  - Multiple instances of undefined behavior due to     arithmetic overflow were found in libarchive. Specially     crafted MTREE archives, Compress streams, or ISO9660     volumes could potentially cause the application to fail     to read the archive, or to crash. (CVE-2015-8931,     CVE-2015-8932, CVE-2016-5844)

From Red Hat Security Advisory 2016:1844 :

An update for libarchive is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers.

Security Fix(es) :

* A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. (CVE-2016-5418)

* Multiple out-of-bounds write flaws were found in libarchive.
Specially crafted ZIP, 7ZIP, or RAR files could cause a heap overflow, potentially allowing code execution in the context of the application using libarchive. (CVE-2016-1541, CVE-2016-4300, CVE-2016-4302)

* Multiple out-of-bounds read flaws were found in libarchive.
Specially crafted LZA/LZH, AR, MTREE, ZIP, TAR, or RAR files could cause the application to read data out of bounds, potentially disclosing a small amount of application memory, or causing an application crash. (CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8934)

* Multiple NULL pointer dereference flaws were found in libarchive.
Specially crafted RAR, CAB, or 7ZIP files could cause an application using libarchive to crash. (CVE-2015-8916, CVE-2015-8917, CVE-2015-8922)

* Multiple infinite loop / resource exhaustion flaws were found in libarchive. Specially crafted GZIP or ISO files could cause the application to consume an excessive amount of resources, eventually leading to a crash on memory exhaustion. (CVE-2016-7166, CVE-2015-8930)

* A denial of service vulnerability was found in libarchive. A specially crafted CPIO archive containing a symbolic link to a large target path could cause memory allocation to fail, causing an application using libarchive that attempted to view or extract such archive to crash. (CVE-2016-4809)

* An integer overflow flaw, leading to a buffer overflow, was found in libarchive's construction of ISO9660 volumes. Attempting to create an ISO9660 volume with 2 GB or 4 GB file names could cause the application to attempt to allocate 20 GB of memory. If this were to succeed, it could lead to an out of bounds write on the heap and potential code execution. (CVE-2016-6250)

* Multiple instances of undefined behavior due to arithmetic overflow were found in libarchive. Specially crafted MTREE archives, Compress streams, or ISO9660 volumes could potentially cause the application to fail to read the archive, or to crash. (CVE-2015-8931, CVE-2015-8932, CVE-2016-5844)

Red Hat would like to thank Insomnia Security for reporting CVE-2016-5418.

Hanno Boeck and Marcin Noga discovered multiple vulnerabilities in libarchive; processing malformed archives may result in denial of service or the execution of arbitrary code.

Several vulnerabilities were discovered in libarchive, a library for reading and writing archives in various formats. An attacker can take advantage of these flaws to cause a denial of service against an application using the libarchive library (application crash), or potentially execute arbitrary code with the privileges of the user running the application.

For Debian 7 'Wheezy', these problems have been fixed in version 3.0.4-3+wheezy2.

We recommend that you upgrade your libarchive packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Hanno Bock discovered that libarchive contained multiple security issues when processing certain malformed archive files. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-8916, CVE-2015-8917 CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8922, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8930, CVE-2015-8931, CVE-2015-8932, CVE-2015-8933, CVE-2015-8934, CVE-2016-5844)

Marcin 'Icewall' Noga discovered that libarchive contained multiple security issues when processing certain malformed archive files. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-4300, CVE-2016-4302)

It was discovered that libarchive incorrectly handled memory allocation with large cpio symlinks. A remote attacker could use this issue to possibly cause libarchive to crash, resulting in a denial of service. (CVE-2016-4809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124794	EulerOS Virtualization 3.0.1.0 : libarchive (EulerOS-SA-2019-1470)	Nessus	Huawei Local Security Checks	high
99808	EulerOS 2.0 SP1 : libarchive (EulerOS-SA-2016-1045)	Nessus	Huawei Local Security Checks	high
96234	GLSA-201701-03 : libarchive: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
93744	Amazon Linux AMI : libarchive (ALAS-2016-743)	Nessus	Amazon Linux Local Security Checks	high
93541	CentOS 7 : libarchive (CESA-2016:1844)	Nessus	CentOS Local Security Checks	high
93454	Scientific Linux Security Update : libarchive on SL7.x x86_64 (20160912)	Nessus	Scientific Linux Local Security Checks	high
93450	RHEL 7 : libarchive (RHSA-2016:1844)	Nessus	Red Hat Local Security Checks	high
93446	Oracle Linux 7 : libarchive (ELSA-2016-1844)	Nessus	Oracle Linux Local Security Checks	high
93238	Debian DSA-3657-1 : libarchive - security update	Nessus	Debian Local Security Checks	high
92500	Debian DLA-554-1 : libarchive security update	Nessus	Debian Local Security Checks	high
92312	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : libarchive vulnerabilities (USN-3033-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2015-8917

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high