New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bsdtar: An error in archive_wstring_append_from_mbs() (archive_string.c) allows out-of-bounds read memory access and subsequently cause a crash #1276
Comments
|
Any update on this issue? |
|
Thanks for the fix. This issue has been assigned CVE-2019-19221 by MITRE. |
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Nov 29, 2019
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
gbionescu
pushed a commit
to gbionescu/poky
that referenced
this issue
Nov 29, 2019
Also see: libarchive/libarchive#1276 (From OE-Core rev: 422bef7a205b9b5d48d5b0e0b2b14ac65484607a) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this issue
Nov 29, 2019
Source: poky MR: 00000 Type: Integration Disposition: Merged from poky ChangeID: c534b46 Description: Also see: libarchive/libarchive#1276 (From OE-Core rev: 422bef7a205b9b5d48d5b0e0b2b14ac65484607a) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Dec 6, 2019
Also see: libarchive/libarchive#1276 (From OE-Core rev: 422bef7) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
gbionescu
pushed a commit
to gbionescu/poky
that referenced
this issue
Dec 6, 2019
Also see: libarchive/libarchive#1276 (From OE-Core rev: 422bef7a205b9b5d48d5b0e0b2b14ac65484607a) (From OE-Core rev: f3e7298c32c430dfc955a2023474810ae32926ba) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this issue
Dec 6, 2019
Source: poky MR: 00000 Type: Integration Disposition: Merged from poky ChangeID: 6945f56 Description: Also see: libarchive/libarchive#1276 (From OE-Core rev: 422bef7a205b9b5d48d5b0e0b2b14ac65484607a) (From OE-Core rev: f3e7298c32c430dfc955a2023474810ae32926ba) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
clrpackages
pushed a commit
to clearlinux-pkgs/libarchive
that referenced
this issue
Dec 10, 2019
libarchive/libarchive#1276 libarchive/libarchive@22b1db9 CVEs fixed in this build: CVE-2019-19221
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this issue
Jan 28, 2020
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
kraj
pushed a commit
to YoeDistro/poky-old
that referenced
this issue
Jan 28, 2020
Also see: libarchive/libarchive#1276 (From OE-Core rev: b4628dd1ef9d50e8778cadae09e6d31886bd47d2) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/poky
that referenced
this issue
Feb 23, 2020
Source: poky MR: 00000 Type: Integration Disposition: Merged from poky ChangeID: a233575 Description: Also see: libarchive/libarchive#1276 (From OE-Core rev: b4628dd1ef9d50e8778cadae09e6d31886bd47d2) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
eigendude
pushed a commit
to eigendude/openembedded-core
that referenced
this issue
Oct 1, 2020
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
eigendude
pushed a commit
to eigendude/openembedded-core
that referenced
this issue
Oct 1, 2020
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
eigendude
pushed a commit
to eigendude/openembedded-core
that referenced
this issue
Oct 1, 2020
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
eigendude
pushed a commit
to eigendude/openembedded-core
that referenced
this issue
Oct 1, 2020
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
eigendude
pushed a commit
to eigendude/openembedded-core
that referenced
this issue
Oct 1, 2020
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
eigendude
pushed a commit
to eigendude/openembedded-core
that referenced
this issue
Oct 1, 2020
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
eigendude
pushed a commit
to eigendude/openembedded-core
that referenced
this issue
Oct 2, 2020
Also see: libarchive/libarchive#1276 Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
bsdtar: An error in archive_wstring_append_from_mbs() (archive_string.c) triggers an out-of-bounds read memory access that results into a crash, via a specially crafted archive file. This bug was found using our custom fuzzer.
Basic Information:
Version of libarchive: libarchive-3.4.0, libarchive-3.4.1dev
How you obtained it: build from source
libarchive-3.4.0.tar.gz (https://www.libarchive.org/)
libarchive-3.4.1dev (https://github.com/libarchive/libarchive)
Tested operating system and version: Linux 4.15.0-65-generic x86_64
Tested compilers versions: gcc (version 7.4.0) and clang (version 6.0.0-1ubuntu2)
What other files were involved?
To trigger the bug, use the the crashing input file crash_file_1 (unzip crash-file.zip).
crash-file.zip
============
Command to reproduce the bug using valgrind:
$ valgrind -v ./bsdtar -t -f crash_file_1
Output (partial):
Possible cause:
In archive_wstring_append_from_mbs() (archive_string.c):
mbrtowc() function is called with the following parameter values: wcs_length = 3, mbs_length = 1, mbs = 0x7ffff6a43ffe "\212".
r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
Here, "mbs" has a length of 1 byte, while, mbrtowc() tends to read 3 bytes (wcs_length = 3), thus resulting into memory out of bounds read.
The program crashes due to memory access violation, which can cause denial of service.
The values {wcs_length = 3, mbs_length = 1} are reached, if return value of mbrtowc() is r = -1 or r = -2 in the previous iteration of the while loop. "mbs" pointer increases (++mbs), and "mbs_length" length decreases (--mbs_length), but wcs_length remains constant (3 bytes in this case).
The text was updated successfully, but these errors were encountered: