Bug ID 1037008
Summary VUL-1: CVE-2016-10349: libarchive: bsdtar: heap-based buffer overflow read
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 723280 [details]
CVE-2016-10349_reproducer

Ref:
https://blogs.gentoo.org/ago/2017/05/01/libarchive-two-heap-based-buffer-overflow-read/
======================================================
Description:
libarchive is a multi-format archive and compression library.

In the 2016 I reported two heap-based buffer over-read to libarchive. They
appear to have already been fixed in the trunk when I reported them; here are
the details:

# bsdtar -t -f $FILE
=================================================================               
==27838==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61500000ff05 at pc 0x7fad7b060778 bp 0x7ffe35698a10 sp 0x7ffe35698a08         
READ of size 1 at 0x61500000ff05 thread T0                                      
    #0 0x7fad7b060777 in archive_le32dec
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_endian.h:122:20 
    #1 0x7fad7b060777 in cab_read_header
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_support_format_cab.c:669 
    #2 0x7fad7b060777 in archive_read_format_cab_read_header
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_support_format_cab.c:903 
    #3 0x7fad7affa45b in _archive_read_next_header2
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:649:7 
    #4 0x7fad7affa100 in _archive_read_next_header
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:687:8 
    #5 0x514c89 in read_archive
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/read.c:261:7   
    #6 0x51416b in tar_mode_t
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/read.c:94:2    
    #7 0x50f1a8 in main
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/bsdtar.c:803:3 
    #8 0x7fad7a08d61f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289    
    #9 0x41c168 in _init (/usr/bin/bsdtar+0x41c168)                             

0x61500000ff05 is located 5 bytes to the right of 512-byte region
[0x61500000fd00,0x61500000ff00)                                                 
allocated by thread T0 here:                                                    
    #0 0x4d4f28 in malloc
/tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 
    #1 0x7fad7aff5854 in __archive_read_filter_ahead
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:1436:17 
    #2 0x7fad7b0db8cd in archive_read_format_tar_bid
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_support_format_tar.c:310:6 
    #3 0x7fad7afef670 in choose_format
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:712:10 
    #4 0x7fad7afef670 in archive_read_open1
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read.c:529 
    #5 0x7fad7b0162e1 in archive_read_open_filenames
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_open_filename.c:152:10 
    #6 0x7fad7b015e8b in archive_read_open_filename
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_read_open_filename.c:109:9 
    #7 0x5149eb in read_archive
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/read.c:223:6   
    #8 0x51416b in tar_mode_t
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/read.c:94:2    
    #9 0x50f1a8 in main
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/tar/bsdtar.c:803:3 
    #10 0x7fad7a08d61f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289    

SUMMARY: AddressSanitizer: heap-buffer-overflow
/tmp/portage/app-arch/libarchive-3.2.2/work/libarchive-3.2.2/libarchive/archive_endian.h:122:20
in archive_le32dec
Shadow bytes around the buggy address:
  0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff9fe0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27838==ABORTING

Affected version:
3.2.2
Fixed version:
3.3.0
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00105-libarchive-heapoverflow-archive_le32dec
CVE:
CVE-2016-10349
======================================================

[1] https://security-tracker.debian.org/tracker/CVE-2016-10349

[2] https://github.com/libarchive/libarchive/issues/834

You are receiving this mail because: