Bug 1888786 (CVE-2020-21674)

Summary: CVE-2020-21674 libarchive: heap-based buffer overflow in archive_string_append_from_wcs function in archive_string.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: besser82, databases-maint, dhiru, mike, moez.roy, ndevos, panovotn, pkubat, praiskup, zbyszek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libarchive 3.4.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 17:56:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1889843    
Bug Blocks: 1888787    

Description Guilherme de Almeida Suckevicz 2020-10-15 18:39:59 UTC 
Heap-based buffer overflow in archive_string_append_from_wcs() (archive_string.c) in libarchive-3.4.1dev allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.

Reference:
https://github.com/libarchive/libarchive/issues/1298

Upstream patch:
https://github.com/libarchive/libarchive/commit/4f085eea879e2be745f4d9bf57e8513ae48157f4
Comment 4 Todd Cullum 2020-10-19 19:28:15 UTC 
Flaw summary:

During the growth (via realloc) of archive_string buffer in archive_string_append_from_wcs() from libarchive/archive_string.c, it's possible for the reallocation size to be smaller than a max-sized multibyte character plus space for its null terminator, which could cause an out-of-bounds write of 1 byte later in the code when `as->s[as->length] = '\0';` is executed or potentially elsewhere in the code.
Comment 9 Todd Cullum 2020-10-20 17:18:11 UTC 
Statement:

Red Hat Product Security has set the Severity of this flaw to Low for libarchive as shipped with Red Hat Enterprise Linux 8 because we could not reproduce the issue and it states "NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected."

This flaw is out of support scope for libarchive as shipped with Red Hat Enterprise Linux 6 and 7.