A use after free vulnerability has been found in libarchive

Libarchive is a compression library mostly known for being used in

the following widely used software’s:

cpio(1) copy files to and from archives

tar(1) tape archiver

zcat() compress and expand data (compress mode)

and this is the exploit of the day.

The vulnerability

The vulnerability was found by Google’s automated Fuzzing

platform OSS-Fuzz

libarchive/archive_read_support_format_rar.c @@ -1024,8 +1024,10 @@ archive_read_format_rar_read_data(struct archive_read *a, const void **buff, case COMPRESS_METHOD_GOOD: case COMPRESS_METHOD_BEST: ret = read_data_compressed(a, buff, size, offset); if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) { __archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context); rar->start_new_table = 1; } break; default:

Link: https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60#diff-44a241994d3a03f7a08b8a70ddc29d1f

Recommendation: We recommend that you upgrade your libarchive package to version

3.4 .

Affected operating systems

Libarchive is used in a majority operating systems.

Debian, Ubuntu and arch linux use it among several other Linux

systems in the core operating system.

OpenBSD does not use libarchive in the base install. However, version 3.3.3 is still in the package repository:

# pkg_info libarchive Information for https://ftp2.eu.openbsd.org/pub/OpenBSD/6.5/packages/amd64/lib archive-3.3.3.tgz Comment: multi-format archive and compression library

We where extra worried that this should affect OpenBSD, because

of our strong in-company love for that system!

We contacted the responsible person for the OpenBSD ported package

maintainer, he told us that the package has not been rewritten:

Date: Mon, 4 Nov 2019 16:47:03 +0100 From: Christian Weisgerber <naddy mips.inka.de> To: Firo <@firosolutions.com> Subject: Re: Libarchive Message-ID: <censored> References: <censored> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <censored-user@firosolutions.com> User-Agent: Mutt Firo: > Has libarchive been rewritten for openbsd? No. -- Christian "naddy" Weisgerber naddy mips.inka.de

FreeBSD has libarchive in it’s base install and core system.

Source: https://people.freebsd.org/~kientzle/libarchive/man/archive_read.3.txt

NetBSD also contains libarchive in its base install and core system

Source: https://netbsd.gw.com/cgi-bin/man-cgi?libarchive++NetBSD-current

The vulnerability has been given the CVE of CVE-2019-18408 .

External links:

libarchive github

Firo

libarchive freebsd

Debian security advisory dsa 4557

CVE-2019-18408

Ubuntu statement