tags: libarchive tar use after free cpio zcat exploitoftheday

libarchive use after free vulnerability

A use after free vulnerability has been found in libarchive

Libarchive logo

Libarchive is a compression library mostly known for being used in
the following widely used software’s:

  • cpio(1) copy files to and from archives
  • tar(1) tape archiver
  • zcat() compress and expand data (compress mode)

and this is the exploit of the day.

The vulnerability

The vulnerability was found by Google’s automated Fuzzing
platform OSS-Fuzz

 libarchive/archive_read_support_format_rar.c
@@ -1024,8 +1024,10 @@ archive_read_format_rar_read_data(struct archive_read *a, const void **buff,
  case COMPRESS_METHOD_GOOD:
  case COMPRESS_METHOD_BEST:
    ret = read_data_compressed(a, buff, size, offset);
    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN)
    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) {
      __archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context);
      rar->start_new_table = 1;
    }
    break;

  default:

Link: https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60#diff-44a241994d3a03f7a08b8a70ddc29d1f

Recommendation: We recommend that you upgrade your libarchive package to version
3.4 .

Affected operating systems

Libarchive is used in a majority operating systems.
Debian, Ubuntu and arch linux use it among several other Linux
systems in the core operating system.

OpenBSD does not use libarchive in the base install. However, version 3.3.3 is still in the package repository:

# pkg_info libarchive                                                 
Information for https://ftp2.eu.openbsd.org/pub/OpenBSD/6.5/packages/amd64/lib
archive-3.3.3.tgz       

Comment: 
multi-format archive and compression library

We where extra worried that this should affect OpenBSD, because
of our strong in-company love for that system!
We contacted the responsible person for the OpenBSD ported package
maintainer, he told us that the package has not been rewritten:

Date: Mon, 4 Nov 2019 16:47:03 +0100
From: Christian Weisgerber <naddy  mips.inka.de>
To: Firo <@firosolutions.com>
Subject: Re: Libarchive
Message-ID: <censored>
References: <censored>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <censored-user@firosolutions.com>
User-Agent: Mutt

Firo:

> Has libarchive been rewritten for openbsd?

No.

-- 
Christian "naddy" Weisgerber                          naddy mips.inka.de

FreeBSD has libarchive in it’s base install and core system.
Source: https://people.freebsd.org/~kientzle/libarchive/man/archive_read.3.txt

NetBSD also contains libarchive in its base install and core system
Source: https://netbsd.gw.com/cgi-bin/man-cgi?libarchive++NetBSD-current

The vulnerability has been given the CVE of CVE-2019-18408 .

External links:
libarchive github
Firo
libarchive freebsd
Debian security advisory dsa 4557
CVE-2019-18408
Ubuntu statement