Arch Linux Security Advisory ASA-201906-21
=========================================
Severity: High
Date    : 2019-06-25
CVE-ID  : CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000879 CVE-2018-1000880
          CVE-2019-1000019 CVE-2019-1000020
Package : libarchive
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-837

Summary
======
The package libarchive before version 3.4.0-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service and
information disclosure.

Resolution
=========
Upgrade to 3.4.0-1.

# pacman -Syu "libarchive>=3.4.0-1"

The problems have been fixed upstream in version 3.4.0.

Workaround
=========
None.

Description
==========
- CVE-2018-1000877 (arbitrary code execution)

A double-free issue has been found in libarchive >= 3.1.0 and <=3.3.3,
in the parse_codes() function in archive_read_support_format_rar.c. An
attacker can use a specially crafted RAR file to cause a call to
realloc with a size of 0, effectively freeing the memory which will be
freed again at a later time.

- CVE-2018-1000878 (arbitrary code execution)

A use-after-free issue has been found in libarchive >= 3.1.0 and
<=3.3.3, in the archive_read_format_rar_read_header() function in
archive_read_support_format_rar.c. An attacker can use a specially
crafted RAR file to cause the vulnerable function to free the buffer
and allocate a new one, causing the ppmd7 decoder to continue reading
from and writing to the freed buffer.

- CVE-2018-1000879 (denial of service)

A NULL-pointer dereference issue has been found in libarchive >= 3.3.0
and <=3.3.3, in the archive_acl_from_text_l() function in
archive_acl.c. An attacker can use a specially crafted archive file to
cause a crash via a malformed ACL.

- CVE-2018-1000880 (denial of service)

A resource consumption issue has been found in libarchive >= 3.2.0 and
<=3.3.3, in the _warc_read() function in
archive_read_support_format_warm.c. An attacker can use a specially
crafted WARC file to cause quasi-infinite run time and disk usage from
a tiny file.

- CVE-2019-1000019 (information disclosure)

libarchive version >=v3.0.2 contains a CWE-125: Out-of-bounds Read
vulnerability in 7zip decompression,
archive_read_support_format_7zip.c, header_bytes() that can result in a
crash (denial of service). This attack appears to be exploitable via
the victim opening a specially crafted 7zip file.

- CVE-2019-1000020 (denial of service)

libarchive version >=v2.8.0 contains a CWE-835: Loop with Unreachable
Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser,
archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that
can result in DoS by infinite loop. This attack appears to be
exploitable via the victim opening a specially crafted ISO9660 file.

Impact
=====
A local attacker is capable of crashing the process, leak information
or execute arbitrary code on the host with a maliciously crafted file.

References
=========
https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
https://github.com/libarchive/libarchive/pull/1105
https://github.com/libarchive/libarchive/pull/1120
https://github.com/libarchive/libarchive/commit/021efa522ad729ff0f5806c4ce53e4a6cc1daa31
https://github.com/libarchive/libarchive/commit/bfcfe6f04ed20db2504db8a254d1f40a1d84eb28
https://github.com/libarchive/libarchive/commit/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175
https://github.com/libarchive/libarchive/commit/9c84b7426660c09c18cc349f6d70b5f8168b5680
https://github.com/libarchive/libarchive/pull/1120/commits/65a23f5dbee4497064e9bb467f81138a62b0dae1
https://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b965012af51bc1f967b12423
https://security.archlinux.org/CVE-2018-1000877
https://security.archlinux.org/CVE-2018-1000878
https://security.archlinux.org/CVE-2018-1000879
https://security.archlinux.org/CVE-2018-1000880
https://security.archlinux.org/CVE-2019-1000019
https://security.archlinux.org/CVE-2019-1000020

ArchLinux: 201906-21: libarchive: multiple issues

July 1, 2019

Summary

- CVE-2018-1000877 (arbitrary code execution) A double-free issue has been found in libarchive >= 3.1.0 and <=3.3.3, in the parse_codes() function in archive_read_support_format_rar.c. An attacker can use a specially crafted RAR file to cause a call to realloc with a size of 0, effectively freeing the memory which will be freed again at a later time.
- CVE-2018-1000878 (arbitrary code execution)
A use-after-free issue has been found in libarchive >= 3.1.0 and <=3.3.3, in the archive_read_format_rar_read_header() function in archive_read_support_format_rar.c. An attacker can use a specially crafted RAR file to cause the vulnerable function to free the buffer and allocate a new one, causing the ppmd7 decoder to continue reading from and writing to the freed buffer.
- CVE-2018-1000879 (denial of service)
A NULL-pointer dereference issue has been found in libarchive >= 3.3.0 and <=3.3.3, in the archive_acl_from_text_l() function in archive_acl.c. An attacker can use a specially crafted archive file to cause a crash via a malformed ACL.
- CVE-2018-1000880 (denial of service)
A resource consumption issue has been found in libarchive >= 3.2.0 and <=3.3.3, in the _warc_read() function in archive_read_support_format_warm.c. An attacker can use a specially crafted WARC file to cause quasi-infinite run time and disk usage from a tiny file.
- CVE-2019-1000019 (information disclosure)
libarchive version >=v3.0.2 contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.
- CVE-2019-1000020 (denial of service)
libarchive version >=v2.8.0 contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.

Resolution

Upgrade to 3.4.0-1. # pacman -Syu "libarchive>=3.4.0-1"
The problems have been fixed upstream in version 3.4.0.

References

https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909 https://github.com/libarchive/libarchive/pull/1105 https://github.com/libarchive/libarchive/pull/1120 https://github.com/libarchive/libarchive/commit/021efa522ad729ff0f5806c4ce53e4a6cc1daa31 https://github.com/libarchive/libarchive/commit/bfcfe6f04ed20db2504db8a254d1f40a1d84eb28 https://github.com/libarchive/libarchive/commit/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175 https://github.com/libarchive/libarchive/commit/9c84b7426660c09c18cc349f6d70b5f8168b5680 https://github.com/libarchive/libarchive/pull/1120/commits/65a23f5dbee4497064e9bb467f81138a62b0dae1 https://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b965012af51bc1f967b12423 https://security.archlinux.org/CVE-2018-1000877 https://security.archlinux.org/CVE-2018-1000878 https://security.archlinux.org/CVE-2018-1000879 https://security.archlinux.org/CVE-2018-1000880 https://security.archlinux.org/CVE-2019-1000019 https://security.archlinux.org/CVE-2019-1000020

Severity
CVE-2019-1000019 CVE-2019-1000020
Package : libarchive
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-837

Workaround

None.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved