Arch Linux Security Advisory ASA-201906-21 ========================================== Severity: High Date : 2019-06-25 CVE-ID : CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000879 CVE-2018-1000880 CVE-2019-1000019 CVE-2019-1000020 Package : libarchive Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-837 Summary ======= The package libarchive before version 3.4.0-1 is vulnerable to multiple issues including arbitrary code execution, denial of service and information disclosure. Resolution ========== Upgrade to 3.4.0-1. # pacman -Syu "libarchive>=3.4.0-1" The problems have been fixed upstream in version 3.4.0. Workaround ========== None. Description =========== - CVE-2018-1000877 (arbitrary code execution) A double-free issue has been found in libarchive >= 3.1.0 and <=3.3.3, in the parse_codes() function in archive_read_support_format_rar.c. An attacker can use a specially crafted RAR file to cause a call to realloc with a size of 0, effectively freeing the memory which will be freed again at a later time. - CVE-2018-1000878 (arbitrary code execution) A use-after-free issue has been found in libarchive >= 3.1.0 and <=3.3.3, in the archive_read_format_rar_read_header() function in archive_read_support_format_rar.c. An attacker can use a specially crafted RAR file to cause the vulnerable function to free the buffer and allocate a new one, causing the ppmd7 decoder to continue reading from and writing to the freed buffer. - CVE-2018-1000879 (denial of service) A NULL-pointer dereference issue has been found in libarchive >= 3.3.0 and <=3.3.3, in the archive_acl_from_text_l() function in archive_acl.c. An attacker can use a specially crafted archive file to cause a crash via a malformed ACL. - CVE-2018-1000880 (denial of service) A resource consumption issue has been found in libarchive >= 3.2.0 and <=3.3.3, in the _warc_read() function in archive_read_support_format_warm.c. An attacker can use a specially crafted WARC file to cause quasi-infinite run time and disk usage from a tiny file. - CVE-2019-1000019 (information disclosure) libarchive version >=v3.0.2 contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file. - CVE-2019-1000020 (denial of service) libarchive version >=v2.8.0 contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file. Impact ====== A local attacker is capable of crashing the process, leak information or execute arbitrary code on the host with a maliciously crafted file. References ========== https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 https://github.com/libarchive/libarchive/pull/1105 https://github.com/libarchive/libarchive/pull/1120 https://github.com/libarchive/libarchive/commit/021efa522ad729ff0f5806c4ce53... https://github.com/libarchive/libarchive/commit/bfcfe6f04ed20db2504db8a254d1... https://github.com/libarchive/libarchive/commit/15bf44fd2c1ad0e3fd87048b3fcc... https://github.com/libarchive/libarchive/commit/9c84b7426660c09c18cc349f6d70... https://github.com/libarchive/libarchive/pull/1120/commits/65a23f5dbee449706... https://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b... https://security.archlinux.org/CVE-2018-1000877 https://security.archlinux.org/CVE-2018-1000878 https://security.archlinux.org/CVE-2018-1000879 https://security.archlinux.org/CVE-2018-1000880 https://security.archlinux.org/CVE-2019-1000019 https://security.archlinux.org/CVE-2019-1000020