The libarchive lib exist a READ memory access Vulnerability #1672
Comments
|
Can you share the test case? That would help us to identify and fix this issue. It would also help if you could provide other details: What system were you using? What version of libarchive? What version of liblzma? |
|
hello,the crash testcase see the attachments。
The environment list below:
ubuntu 18
libfuzzer
liblzma 5.2.2 libarchive3.6.0
…------------------ 原始邮件 ------------------
发件人: "libarchive/libarchive" ***@***.***>;
发送时间: 2022年2月26日(星期六) 凌晨1:35
***@***.***>;
***@***.******@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Can you share the test case? That would help us to identify and fix this issue. It would also help if you could provide other details: What system were you using? What version of libarchive? What version of liblzma?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
My github name is icycityone.I can not send mail by qq mail.This is my new mail.
hello,the crash testcase see the attachments。
The environment list below:
ubuntu 18
libfuzzer
liblzma 5.2.2 libarchive3.6.0
…------------------ 原始邮件 ------------------
发件人: "libarchive/libarchive" ***@***.***>;
发送时间: 2022年2月26日(星期六) 凌晨1:35
收件人: ***@***.***>;
抄送: ***@***.******@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Can you share the test case? That would help us to identify and fix this issue. It would also help if you could provide other details: What system were you using? What version of libarchive? What version of liblzma?
***@***.***
|
|
@icycityone what we need is a sample test file to reproduce the vulnerability |
|
hello,the testcase 、 source file 、crash file see the attachments。Besides,i have Submit cve aim at this question
…------------------ 原始邮件 ------------------
发件人: "libarchive/libarchive" ***@***.***>;
发送时间: 2022年2月26日(星期六) 下午5:12
***@***.***>;
***@***.******@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
@icycityone what we need is a sample test file to reproduce the vulnerability
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
I am sorry, but I don't see any attachments to this issue. If you want you can mail the testcase to me directly at martin@matuska.org |
you can see the next mail . |
|
hello,do you received the message |
|
No, I didn't get an e-mail with the sample nor it is attached to this issue. |
|
oh i am sorry,my emai may be go wrong.can you see the attachedments now.
…---Original---
From: "Martin ***@***.***>
Date: Sun, Mar 6, 2022 05:24 AM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
No, I didn't get an e-mail with the sample nor it is attached to this issue.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
从QQ邮箱发来的超大附件
crash-58af2238755ec09600f15fed6e3e606c09638f42 (92.48K, 无限期) 进入下载页面:https://mail.qq.com/cgi-bin/ftnExs_download?k=cbcc4c65e121705ef9bf1d6566643266dc42326564643266111c5653515c545757501e5c5205574b00515201495c0a52571e0b035d0001525500035507531c66574152160c49075e55550157575c0553015650555d5202565202060301000403075605555207025f02000b035056263e9b110b103aa4a466c56cde0b5a045e6f57bc71&t=exs_ftn_download&code=433edd2f
test.cc (1K, 无限期) 进入下载页面:https://mail.qq.com/cgi-bin/ftnExs_download?k=99c93e33b77c700fabba483330393237623266333239323743195205030d0b0f04504b02515a531a52525f001f010600551b560b0b0e030650000405025f3537125315471c5a51232fc42615d0afab14b557a75ebccf0378ce2c9fa3&t=exs_ftn_download&code=f6f32927
|
|
Hi, I got your testcase. I am unable to reproduce the error with contrib/archivetest. |
|
you should give a curpus when i work tomorrow i will send you it.and the compile file
…---Original---
From: "Martin ***@***.***>
Date: Sun, Mar 6, 2022 17:20 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
Hi, I got your testcase. I am unable to reproduce the error with contrib/archivetest.
Try to compile contrib/archivetest.c with CFLAGS="-g -fsanitize=address" and test the file.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Just to note, the archivetest output from reading your sample looks like this: $ ./archivetest -f crash-58af2238755ec09600f15fed6e3e606c09638f42
Data source: filename: crash-58af2238755ec09600f15fed6e3e606c09638f42
Filter: none
Format: ZIP 0.7 (lzma)
Entry 1: ARCHIVE_OK, pathname unreadable, data: OK
Entry 2: ARCHIVE_OK, pathname unreadable, data: OK
Entry 3: ARCHIVE_OK, pathname unreadable, data: OK
Entry 4: ARCHIVE_OK, pathname unreadable, data: OK
Entry 5: fatal error reading header
Last return code: ARCHIVE_FATAL (-30)
Error string: Truncated ZIP file dataI got no errors from ASAN. |
|
if you compile with the needed lib .my computer is not by hand .i cannot seethe detail now
…---Original---
From: "Martin ***@***.***>
Date: Sun, Mar 6, 2022 17:27 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Just to note, the archivetest output from reading your sample looks like this:
$ ./archivetest -f crash-58af2238755ec09600f15fed6e3e606c09638f42 Data source: filename: crash-58af2238755ec09600f15fed6e3e606c09638f42 Filter: none Format: ZIP 0.7 (lzma) Entry 1: ARCHIVE_OK, pathname unreadable, data: OK Entry 2: ARCHIVE_OK, pathname unreadable, data: OK Entry 3: ARCHIVE_OK, pathname unreadable, data: OK Entry 4: ARCHIVE_OK, pathname unreadable, data: OK Entry 5: fatal error reading header Last return code: ARCHIVE_FATAL (-30) Error string: Truncated ZIP file data
I got no errors from ASAN.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
you can do follow this. Look forward to you reply.
step 1:
apt-get update && apt-get install -y make autoconf automake libtool pkg-config \
libbz2-dev liblzo2-dev liblzma-dev liblz4-dev libz-dev \
libxml2-dev libssl-dev libacl1-dev libattr1-dev
step 2:
git clone --depth 1 https://github.com/libarchive/libarchive.git
cd libarchive
./build/autogen.sh
./configure
make -j$(nproc) all
step 3
# build fuzzer(s)
clang++ -g0 -std=c++11 -fsanitize=address,fuzzer -Ilibarchive \
../$SRC/libarchive_fuzzer.cc -o ../$OUT/libarchive_fuzzer \
.libs/libarchive.a \
-Wl,-Bstatic -lbz2 -llzo2 -lxml2 -llzma -lz -lcrypto -llz4 -licuuc \
-licudata -Wl,-Bdynamic -ldl
step4
./libarchive_fuzzer crashfile
or
./libarchive_fuzzer testcases/ #testcase file see the attachedments
…------------------ 原始邮件 ------------------
发件人: "libarchive/libarchive" ***@***.***>;
发送时间: 2022年3月6日(星期天) 下午5:27
***@***.***>;
***@***.******@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Just to note, the archivetest output from reading your sample looks like this:
$ ./archivetest -f crash-58af2238755ec09600f15fed6e3e606c09638f42 Data source: filename: crash-58af2238755ec09600f15fed6e3e606c09638f42 Filter: none Format: ZIP 0.7 (lzma) Entry 1: ARCHIVE_OK, pathname unreadable, data: OK Entry 2: ARCHIVE_OK, pathname unreadable, data: OK Entry 3: ARCHIVE_OK, pathname unreadable, data: OK Entry 4: ARCHIVE_OK, pathname unreadable, data: OK Entry 5: fatal error reading header Last return code: ARCHIVE_FATAL (-30) Error string: Truncated ZIP file data
I got no errors from ASAN.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
hello have you reproduced the vul?
…------------------ 原始邮件 ------------------
发件人: "马骏" ***@***.***>;
发送时间: 2022年3月7日(星期一) 上午9:31
***@***.******@***.***>;
主题: 回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
you can do follow this. Look forward to you reply.
step 1:
apt-get update && apt-get install -y make autoconf automake libtool pkg-config \
libbz2-dev liblzo2-dev liblzma-dev liblz4-dev libz-dev \
libxml2-dev libssl-dev libacl1-dev libattr1-dev
step 2:
git clone --depth 1 https://github.com/libarchive/libarchive.git
cd libarchive
./build/autogen.sh
./configure
make -j$(nproc) all
step 3
# build fuzzer(s)
clang++ -g0 -std=c++11 -fsanitize=address,fuzzer -Ilibarchive \
../$SRC/libarchive_fuzzer.cc -o ../$OUT/libarchive_fuzzer \
.libs/libarchive.a \
-Wl,-Bstatic -lbz2 -llzo2 -lxml2 -llzma -lz -lcrypto -llz4 -licuuc \
-licudata -Wl,-Bdynamic -ldl
step4
./libarchive_fuzzer crashfile
or
./libarchive_fuzzer testcases/ #testcase file see the attachedments
------------------ 原始邮件 ------------------
发件人: "libarchive/libarchive" ***@***.***>;
发送时间: 2022年3月6日(星期天) 下午5:27
***@***.***>;
***@***.******@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Just to note, the archivetest output from reading your sample looks like this:
$ ./archivetest -f crash-58af2238755ec09600f15fed6e3e606c09638f42 Data source: filename: crash-58af2238755ec09600f15fed6e3e606c09638f42 Filter: none Format: ZIP 0.7 (lzma) Entry 1: ARCHIVE_OK, pathname unreadable, data: OK Entry 2: ARCHIVE_OK, pathname unreadable, data: OK Entry 3: ARCHIVE_OK, pathname unreadable, data: OK Entry 4: ARCHIVE_OK, pathname unreadable, data: OK Entry 5: fatal error reading header Last return code: ARCHIVE_FATAL (-30) Error string: Truncated ZIP file data
I got no errors from ASAN.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Yes, I have managed to reproduce the error. I have used contrib/oss-fuzz/libarchive_fuzzer.cc |
|
ok,can i apply for cve on this subject ?
…------------------ 原始邮件 ------------------
发件人: "Martin ***@***.***>;
发送时间: 2022年3月9日(星期三) 下午4:45
收件人: ***@***.***>;
抄送: ***@***.***>; ***@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Yes, I have managed to reproduce the error. I have used contrib/oss-fuzz/libarchive_fuzzer.cc
I currently don't have time to investigate on this issue.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
ok,can i apply for cve on this subject ?
…---原始邮件---
发件人: ***@***.***>
发送时间: 2022年3月9日(周三) 下午4:50
收件人: ***@***.******@***.***>;
抄送: ***@***.***>;
主题: 回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
ok,can i apply for cve on this subject ?
------------------ 原始邮件 ------------------
发件人: "Martin ***@***.***>;
发送时间: 2022年3月9日(星期三) 下午4:45
收件人: ***@***.***>;
抄送: ***@***.***>; ***@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Yes, I have managed to reproduce the error. I have used contrib/oss-fuzz/libarchive_fuzzer.cc
I currently don't have time to investigate on this issue.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Well, the actual invalid read happens in liblzma. We have to find out if there is a mistake in libarchive by wrongly calling liblzma or if there is an error in liblzma. A CVE against libarchive with a bug in liblzma would be counterproductive.
10.03.2022 15:20:23 icycityone ***@***.***>:
… ok,can i apply for cve on this subject ?
---原始邮件---
发件人: ***@***.***>
发送时间: 2022年3月9日(周三) 下午4:50
收件人: ***@***.******@***.***>;
抄送: ***@***.***>;
主题: 回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
ok,can i apply for cve on this subject ?
------------------ 原始邮件 ------------------
发件人: "Martin ***@***.***>;
发送时间: 2022年3月9日(星期三) 下午4:45
收件人: ***@***.***>;
抄送: ***@***.***>; ***@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Yes, I have managed to reproduce the error. I have used contrib/oss-fuzz/libarchive_fuzzer.cc
I currently don't have time to investigate on this issue.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
—
Reply to this email directly, view it on GitHub[#1672 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AAHBXPALN5R7WYNSNY4Q2CLU7IAKLANCNFSM5PJVM2IA].
Triage notifications on the go with GitHub Mobile for iOS[https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675] or Android[https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub].
You are receiving this because you commented. [data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAAAXNSR0IArs4c6QAAAARzQklUCAgICHwIZIgAAAArSURBVHic7cEBDQAAAMKg909tDjegAAAAAAAAAAAAAAAAAAAAAAAAAAA+DFFIAAEctgHwAAAAAElFTkSuQmCC###24x24:true###][Verfolgungsbild][https://github.com/notifications/beacon/AAHBXPGUZ5S2HKXXFJREJFTU7IAKLA5CNFSM5PJVM2IKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOH5WRNNY.gif]
|
|
You mean i can file cVE against Liblzma if the problem is caused by Liblzma. Have you identified which caused it
thanks.
…---Original---
From: "Martin ***@***.***>
Date: Thu, Mar 10, 2022 22:59 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
Well, the actual invalid read happens in liblzma. We have to find out if there is a mistake in libarchive by wrongly calling liblzma or if there is an error in liblzma. A CVE against libarchive with a bug in liblzma would be counterproductive.
10.03.2022 15:20:23 icycityone ***@***.***>:
> ok,can i apply for cve on this subject ?
>
>
>
>
> ---原始邮件---
> 发件人: ***@***.***>
> 发送时间: 2022年3月9日(周三) 下午4:50
> 收件人: ***@***.******@***.***>;
> 抄送: ***@***.***>;
> 主题: 回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
>
>
> ok,can i apply for cve on this subject ?
>
>
>
>
> ------------------ 原始邮件 ------------------
> 发件人: "Martin ***@***.***>;
> 发送时间: 2022年3月9日(星期三) 下午4:45
> 收件人: ***@***.***>;
> 抄送: ***@***.***>; ***@***.***>;
> 主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
>
>
>
>
>
>
> Yes, I have managed to reproduce the error. I have used contrib/oss-fuzz/libarchive_fuzzer.cc
> I currently don't have time to investigate on this issue.
>
> —
> Reply to this email directly, view it on GitHub, or unsubscribe.
> Triage notifications on the go with GitHub Mobile for iOS or Android.
> You are receiving this because you were mentioned.Message ID: ***@***.***>
>
> —
> Reply to this email directly, view it on GitHub[#1672 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AAHBXPALN5R7WYNSNY4Q2CLU7IAKLANCNFSM5PJVM2IA].
> Triage notifications on the go with GitHub Mobile for iOS[https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675] or Android[https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub].
> You are receiving this because you commented. [data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAAAXNSR0IArs4c6QAAAARzQklUCAgICHwIZIgAAAArSURBVHic7cEBDQAAAMKg909tDjegAAAAAAAAAAAAAAAAAAAAAAAAAAA+DFFIAAEctgHwAAAAAElFTkSuQmCC###24x24:true###][Verfolgungsbild][https://github.com/notifications/beacon/AAHBXPGUZ5S2HKXXFJREJFTU7IAKLA5CNFSM5PJVM2IKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOH5WRNNY.gif]
>
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
You mean i can file cVE against Liblzma if the problem is caused by Liblzma. Have you identified which caused it
thanks.
…------------------ 原始邮件 ------------------
发件人: "马骏" ***@***.***>;
发送时间: 2022年3月11日(星期五) 凌晨0:35
***@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
You mean i can file cVE against Liblzma if the problem is caused by Liblzma. Have you identified which caused it
thanks.
---Original---
From: "Martin ***@***.***>
Date: Thu, Mar 10, 2022 22:59 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
Well, the actual invalid read happens in liblzma. We have to find out if there is a mistake in libarchive by wrongly calling liblzma or if there is an error in liblzma. A CVE against libarchive with a bug in liblzma would be counterproductive.
10.03.2022 15:20:23 icycityone ***@***.***>:
> ok,can i apply for cve on this subject ?
>
>
>
>
> ---原始邮件---
> 发件人: ***@***.***>
> 发送时间: 2022年3月9日(周三) 下午4:50
> 收件人: ***@***.******@***.***>;
> 抄送: ***@***.***>;
> 主题: 回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
>
>
> ok,can i apply for cve on this subject ?
>
>
>
>
> ------------------ 原始邮件 ------------------
> 发件人: "Martin ***@***.***>;
> 发送时间: 2022年3月9日(星期三) 下午4:45
> 收件人: ***@***.***>;
> 抄送: ***@***.***>; ***@***.***>;
> 主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
>
>
>
>
>
>
> Yes, I have managed to reproduce the error. I have used contrib/oss-fuzz/libarchive_fuzzer.cc
> I currently don't have time to investigate on this issue.
>
> —
> Reply to this email directly, view it on GitHub, or unsubscribe.
> Triage notifications on the go with GitHub Mobile for iOS or Android.
> You are receiving this because you were mentioned.Message ID: ***@***.***>
>
> —
> Reply to this email directly, view it on GitHub[#1672 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AAHBXPALN5R7WYNSNY4Q2CLU7IAKLANCNFSM5PJVM2IA].
> Triage notifications on the go with GitHub Mobile for iOS[https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675] or Android[https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub].
> You are receiving this because you commented. [data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAAAXNSR0IArs4c6QAAAARzQklUCAgICHwIZIgAAAArSURBVHic7cEBDQAAAMKg909tDjegAAAAAAAAAAAAAAAAAAAAAAAAAAA+DFFIAAEctgHwAAAAAElFTkSuQmCC###24x24:true###][Verfolgungsbild][https://github.com/notifications/beacon/AAHBXPGUZ5S2HKXXFJREJFTU7IAKLA5CNFSM5PJVM2IKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOH5WRNNY.gif]
>
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
hello,Have you identified which caused it thanks.
…------------------ 原始邮件 ------------------
发件人: "马骏" ***@***.***>;
发送时间: 2022年3月11日(星期五) 下午2:49
***@***.***>;
主题: 回复: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
You mean i can file cVE against Liblzma if the problem is caused by Liblzma. Have you identified which caused it
thanks.
------------------ 原始邮件 ------------------
发件人: "马骏" ***@***.***>;
发送时间: 2022年3月11日(星期五) 凌晨0:35
***@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
You mean i can file cVE against Liblzma if the problem is caused by Liblzma. Have you identified which caused it
thanks.
---Original---
From: "Martin ***@***.***>
Date: Thu, Mar 10, 2022 22:59 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
Well, the actual invalid read happens in liblzma. We have to find out if there is a mistake in libarchive by wrongly calling liblzma or if there is an error in liblzma. A CVE against libarchive with a bug in liblzma would be counterproductive.
10.03.2022 15:20:23 icycityone ***@***.***>:
> ok,can i apply for cve on this subject ?
>
>
>
>
> ---原始邮件---
> 发件人: ***@***.***>
> 发送时间: 2022年3月9日(周三) 下午4:50
> 收件人: ***@***.******@***.***>;
> 抄送: ***@***.***>;
> 主题: 回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
>
>
> ok,can i apply for cve on this subject ?
>
>
>
>
> ------------------ 原始邮件 ------------------
> 发件人: "Martin ***@***.***>;
> 发送时间: 2022年3月9日(星期三) 下午4:45
> 收件人: ***@***.***>;
> 抄送: ***@***.***>; ***@***.***>;
> 主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
>
>
>
>
>
>
> Yes, I have managed to reproduce the error. I have used contrib/oss-fuzz/libarchive_fuzzer.cc
> I currently don't have time to investigate on this issue.
>
> —
> Reply to this email directly, view it on GitHub, or unsubscribe.
> Triage notifications on the go with GitHub Mobile for iOS or Android.
> You are receiving this because you were mentioned.Message ID: ***@***.***>
>
> —
> Reply to this email directly, view it on GitHub[#1672 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AAHBXPALN5R7WYNSNY4Q2CLU7IAKLANCNFSM5PJVM2IA].
> Triage notifications on the go with GitHub Mobile for iOS[https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675] or Android[https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub].
> You are receiving this because you commented. [data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAAAXNSR0IArs4c6QAAAARzQklUCAgICHwIZIgAAAArSURBVHic7cEBDQAAAMKg909tDjegAAAAAAAAAAAAAAAAAAAAAAAAAAA+DFFIAAEctgHwAAAAAElFTkSuQmCC###24x24:true###][Verfolgungsbild][https://github.com/notifications/beacon/AAHBXPGUZ5S2HKXXFJREJFTU7IAKLA5CNFSM5PJVM2IKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOH5WRNNY.gif]
>
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@mmatuska @icycityone can either of you provide the crashfile in this thread or to my email jiat0218@gmail.com? I have been working with liblzma quite a bit recently and I can help determine if this is a libarchive or liblzma problem |
|
hello,i have discussed with security engineer from liblzma,the vulnerability may caused by
zipx_lzma_alone_init().if you have time,please debug to check it.look forward to you reply thanks.
The Message records bellow:
On 2022-03-18 jun ma wrote:
> oh,thanks for your reply ,i have debuged it using gdb and discussed
> with security engineer from libarchive,it
>
> high possibility caused by liblzma.when you have time, hope you can
> take some time to have a look.thanks!
The problem is that lzma_code() is called with lzma_stream.avail_in set
to 18446744073709551607 which equals -9 when interpret as a signed
value. That is, it's a bug in libarchive. I attached a patch that adds
a few fprintf() calls to libarchive which show how the incorrect value
comes from zipx_lzma_alone_init() but I didn't debug how to fix it.
Here is the output:
DEBUG: libarchive/archive_read_support_format_zip.c:1607: init
DEBUG: libarchive/archive_read_support_format_zip.c:1728: zip->entry_bytes_remaining = 1
DEBUG: libarchive/archive_read_support_format_zip.c:1859: zip->entry_bytes_remaining = 1, bytes_avail = 94559
DEBUG: libarchive/archive_read_support_format_zip.c:1916: zip->entry_bytes_remaining = 1, to_consume = 1
DEBUG: libarchive/archive_read_support_format_zip.c:1607: init
DEBUG: libarchive/archive_read_support_format_zip.c:1728: zip->entry_bytes_remaining = 1
DEBUG: libarchive/archive_read_support_format_zip.c:1859: zip->entry_bytes_remaining = 1, bytes_avail = 94501
DEBUG: libarchive/archive_read_support_format_zip.c:1916: zip->entry_bytes_remaining = 1, to_consume = 1
DEBUG: libarchive/archive_read_support_format_zip.c:1607: init
DEBUG: libarchive/archive_read_support_format_zip.c:1728: zip->entry_bytes_remaining = -9
DEBUG: libarchive/archive_read_support_format_zip.c:1859: zip->entry_bytes_remaining = -9, bytes_avail = 94443
Can you forward the above information to libarchive developers?
Thank you for your effort to look for bugs and reporting them!
Two minor things for the future:
I understand that sending the bad .zip file directly as an attachment
doesn't work for some destinations because antivirus products can block
such emails (GMail does). I could extract the .rar with 7z from p7zip so
it wasn't a problem for me, but in general free software developers
prefer exchanging information using fully open formats like .zip, .7z,
or .tar + some compressor. .zip with its very old (and insecure)
encryption is supported widely. I tested this with GMail:
zip -e badfile.zip badfile.bin # password set to 123456
This worked. Without encryption it was rejected. I think the filename
inside the encrypted .zip must be something like .bin instead of .zip
since filenames aren't encrypted.
The second thing is that I did receive the email with the subject
crash-58af2238755ec09600f15fed6e3e606c09638f42 but I wasn't on my
computer during those days, so I was slow to reply, sorry. (My email
provider doesn't block attachments as easily as GMail does.) The email
contained a 46-megabyte attachment (base64-encoded size) which I
suppose was the test program binary. That is a fairly big file to
attach and most people (me included) won't run binaries received in
email.
Again, thanks for your help in finding and reporting bugs!
…--
Lasse Collin
------------------ 原始邮件 ------------------
发件人: "马骏" ***@***.***>;
发送时间: 2022年3月4日(星期五) 下午5:15
***@***.***>;
主题: 回复:转发:回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Please ask if this vulnerability has been confirmed
------------------ 原始邮件 ------------------
发件人: "马骏" ***@***.***>;
发送时间: 2022年3月4日(星期五) 上午10:33
***@***.***>;
主题: 回复:转发:回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Please ask if this vulnerability has been confirmed
------------------ 原始邮件 ------------------
发件人: "马骏" ***@***.***>;
发送时间: 2022年2月26日(星期六) 晚上6:31
***@***.***>;
主题: 转发:回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
i have send this mail ,you can see this
---原始邮件---
发件人: ***@***.***>
发送时间: 2022年2月26日(周六) 下午5:45
收件人: ***@***.***>;
主题: 回复: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
hello,the testcase 、 source file 、crash file see the attachments。Besides,i have Submit cve aim at this question
------------------ 原始邮件 ------------------
发件人: "libarchive/libarchive" ***@***.***>;
发送时间: 2022年2月26日(星期六) 下午5:12
***@***.***>;
***@***.******@***.***>;
主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
@icycityone what we need is a sample test file to reproduce the vulnerability
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
The analysis above points to a bug in At line 1720, after successfully parsing the 9-byte header and initializing the decompressor, we subtract 9 bytes from the entry size: I believe this is where the So I believe the correct answer is to change the test in line 1678 to ensure that there are in fact 9 bytes available in the entry before we try to read those 9 bytes: |
|
so the bug is certainly caused by libarchive not by liblzma. Can i apply for cve on this subject @kientzle |
mmatuska
pushed a commit
to mmatuska/libarchive
that referenced
this issue
Mar 24, 2022
|
@icycityone Yes, please go ahead and apply for a CVE. Has anyone verified that my suggested change above fixes this issue? |
|
hello,thanks for your reply.Is it possible to pass this commit by https://cveform.mitre.org/ or submit by other means. And how long will it take to get the reply. Look forward to your reply. @kientzle |
|
I have submitted the patch. Btw. is a out-of-bounds read that does nothing actually eligible for a CVE? The application will read some bytes beyond the boundary but it will always die and stop processing. |
|
oh thank to your reply. I have apply a cve after all i have take a lot of time to test.
…---Original---
From: "Martin ***@***.***>
Date: Fri, Mar 25, 2022 17:51 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
Hello icycityone, feel free to apply for a CVE. I have already committed the patch into the tree.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Linking with OSS-Fuzz issue 38766 that got resolved by the fix: |
|
@mmatuska the process will only be killed if the read is off the edge of a page boundary and the next page is not readable. That still leaves up to 4095 bytes that could be read unimpeded, even if the next page is unreadable. OOB reads can still be very serious if, for example, the process also has credentials in its address space. |
|
@risicle the data read here is treated in libarchive as "external data", so libarchive will erroneously consider the data to be from the archive and interpret the rest of the 9-byte header. All subsequent reads (based or not based on the header data received) will fail on the empty entry_bytes_remaining. |
|
When can we tag and release a new, patched version? Will fixes be backported to earlier libarchive release series, too? |
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this issue
Apr 8, 2022
Source: libarchive/libarchive#1672 MR: 117047 Type: Security Fix Disposition: Backport from libarchive/libarchive@cfaa281 ChangeID: 4cbeb941b705104ced195a01f6bf93871f0db4e7 Description: CVE-2022-26280 libarchive: out of bounds in zipx_lzma_alone_init. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
10 tasks
praharsh23
pushed a commit
to praharsh23/libarchive
that referenced
this issue
May 3, 2022
|
CVE-2022-28066 appers to have been assigned to this issue. |
|
Any reason as to why 2 CVE (CVE-2022-26280 CVE-2022-28066) have been assigned to this issue? |
|
I suspect this was assigned then by error. Asked MITRE if one of both
should be rejected.
|
|
oh the cve is sumbmit by me
…---Original---
From: ***@***.***>
Date: Mon, May 9, 2022 18:25 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672)
I suspect this was assigned then by error. Asked MITRE if one of both
should be rejected.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
i have submited twice.May they have not cheched it
…---Original---
From: ***@***.***>
Date: Mon, May 9, 2022 16:26 PM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
Any reason as to why 2 CVE (CVE-2022-26280 CVE-2022-28066) have been assigned to this issue?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@icycityone That might be the case. You submitted different descriptions so I'm assuming they thought it's a different vulnerability. |
|
i have not noticed this since i received the reply from MITRE.I recived the cve numbers is 28260. |
maybe,because this is my first time to submit,so to ensure they recevied,i have sumbmited twice |
|
@icycityone: regarding to CVE reporting,
|
|
oh i am busy those days and have no time to test other versions.ANd i have searched but did not know how to cancel the cve
…---Original---
From: ***@***.***>
Date: Thu, May 12, 2022 02:17 AM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [libarchive/libarchive] The libarchive lib exist a READ memoryaccess Vulnerability (Issue #1672)
@icycityone: regarding to CVE reporting,
could you please give detailed affected previous release versions in report? something like from version 3.4.0 to 3.6.0? that will help NVD to populate CPE list. It will be even better if providing enumerated all affected released versions.
Definitely suggest to keep one CVE open, suggest to close CVE-2022-28066 and keep CVE-2022-26280, because CVE-2022-26280 already have CVSS score assigned.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Requesting for REJECT of a CVE can be done via
https://cveform.mitre.org/ -> Select a request type -> Request an
update to an existing CVE entry -> Type of update requested ->
Rejection.
|
12 tasks
rpurdie
pushed a commit
to yoctoproject/poky
that referenced
this issue
Mar 25, 2023
Backport fix from libarchive/libarchive#1672 (From OE-Core rev: b23482f9ea1cc930a3d5ecfe5fc465e2f720a949) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
kraj
pushed a commit
to YoeDistro/openembedded-core
that referenced
this issue
Mar 26, 2023
Backport fix from libarchive/libarchive#1672 Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this issue
Mar 27, 2023
Source: poky MR: 125004, 117047 Type: Security Fix Disposition: Merged from poky ChangeID: 51a742eab1a8b2f84aee82b8ad77cd5a237c6283 Description: Backport fix from libarchive/libarchive#1672 (From OE-Core rev: b23482f9ea1cc930a3d5ecfe5fc465e2f720a949) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hello,when i use libfuzzer to write code to call archive_read_data function,i find a READ memory access Vulnerability.see the picture! The lzma_decode function crashed when decode my testcase.
The text was updated successfully, but these errors were encountered: