Bug 1769979 (CVE-2019-18408)
| Summary: | CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | besser82, databases-maint, mike, mvanderw, ndevos, odubaj, panovotn, pkubat, praiskup, rickhg12hs, tcrider, tomm.momi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libarchive 3.4.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A use-after-free vulnerability was discovered in libarchive in the way it processes RAR archives when there is an error in one of the archive's entries. An application that accepts untrusted RAR archives may be vulnerable to this flaw, which could allow a remote attacker to cause a denial of service or to potentially execute code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-01-22 20:09:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1769980, 1769981, 1769982, 1789502, 1789503, 1789505, 1789506, 1789507 | ||
| Bug Blocks: | 1769983 | ||
|
Description
Guilherme de Almeida Suckevicz
2019-11-07 20:39:12 UTC
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1769980] Created libarchive3 tracking bugs for this issue: Affects: epel-6 [bug 1769982] Created mingw-libarchive tracking bugs for this issue: Affects: fedora-all [bug 1769981] While reading data from a RAR file in function archive_read_format_rar_read_data(), if the compression method used is COMPRESS_METHOD_BEST and there is an error while reading the compressed data, the rar->ppmd7_context is freed, but the logic is not instructed to not use that data for next compression entries. This leads to a use-after-free vulnerability in function read_data_compressed(), when rar->ppmd7_context is used again. An application that uses libarchive to decompress untrusted RAR files may be vulnerable to this flaw, which would allow a remote attacker to cause the program to crash or possibly execute arbitrary code. Statement: This issue did not affect the versions of libarchive as shipped with Red Hat Enterprise Linux 6 as they did not include support for RAR archives. RAR support added in libarchive v3.0.2 (see https://github.com/libarchive/libarchive/wiki/ReleaseNotes#libarchive-302). Mitigation: No known mitigation. (In reply to Riccardo Schirone from comment #9) > Mitigation: > > No known mitigation. What does "mitigation" mean here? Especially given, > Riccardo Schirone 2020-01-09 09:09:19 UTC > Fixed In Version: libarchive 3.4.0 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0203 https://access.redhat.com/errata/RHSA-2020:0203 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18408 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0246 https://access.redhat.com/errata/RHSA-2020:0246 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0271 https://access.redhat.com/errata/RHSA-2020:0271 |