[ASA-201906-21] libarchive: multiple issues
foxboron at archlinux.org
Mon Jul 1 19:00:36 UTC 2019
Arch Linux Security Advisory ASA-201906-21
Date : 2019-06-25
CVE-ID : CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000879 CVE-2018-1000880
Package : libarchive
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-837
The package libarchive before version 3.4.0-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service and
Upgrade to 3.4.0-1.
# pacman -Syu "libarchive>=3.4.0-1"
The problems have been fixed upstream in version 3.4.0.
- CVE-2018-1000877 (arbitrary code execution)
A double-free issue has been found in libarchive >= 3.1.0 and <=3.3.3,
in the parse_codes() function in archive_read_support_format_rar.c. An
attacker can use a specially crafted RAR file to cause a call to
realloc with a size of 0, effectively freeing the memory which will be
freed again at a later time.
- CVE-2018-1000878 (arbitrary code execution)
A use-after-free issue has been found in libarchive >= 3.1.0 and
<=3.3.3, in the archive_read_format_rar_read_header() function in
archive_read_support_format_rar.c. An attacker can use a specially
crafted RAR file to cause the vulnerable function to free the buffer
and allocate a new one, causing the ppmd7 decoder to continue reading
from and writing to the freed buffer.
- CVE-2018-1000879 (denial of service)
A NULL-pointer dereference issue has been found in libarchive >= 3.3.0
and <=3.3.3, in the archive_acl_from_text_l() function in
archive_acl.c. An attacker can use a specially crafted archive file to
cause a crash via a malformed ACL.
- CVE-2018-1000880 (denial of service)
A resource consumption issue has been found in libarchive >= 3.2.0 and
<=3.3.3, in the _warc_read() function in
archive_read_support_format_warm.c. An attacker can use a specially
crafted WARC file to cause quasi-infinite run time and disk usage from
a tiny file.
- CVE-2019-1000019 (information disclosure)
libarchive version >=v3.0.2 contains a CWE-125: Out-of-bounds Read
vulnerability in 7zip decompression,
archive_read_support_format_7zip.c, header_bytes() that can result in a
crash (denial of service). This attack appears to be exploitable via
the victim opening a specially crafted 7zip file.
- CVE-2019-1000020 (denial of service)
libarchive version >=v2.8.0 contains a CWE-835: Loop with Unreachable
Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser,
archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that
can result in DoS by infinite loop. This attack appears to be
exploitable via the victim opening a specially crafted ISO9660 file.
A local attacker is capable of crashing the process, leak information
or execute arbitrary code on the host with a maliciously crafted file.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security