archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol. Reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689 Upstream commit: https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1769980] Created libarchive3 tracking bugs for this issue: Affects: epel-6 [bug 1769982] Created mingw-libarchive tracking bugs for this issue: Affects: fedora-all [bug 1769981]
While reading data from a RAR file in function archive_read_format_rar_read_data(), if the compression method used is COMPRESS_METHOD_BEST and there is an error while reading the compressed data, the rar->ppmd7_context is freed, but the logic is not instructed to not use that data for next compression entries. This leads to a use-after-free vulnerability in function read_data_compressed(), when rar->ppmd7_context is used again. An application that uses libarchive to decompress untrusted RAR files may be vulnerable to this flaw, which would allow a remote attacker to cause the program to crash or possibly execute arbitrary code.
Statement: This issue did not affect the versions of libarchive as shipped with Red Hat Enterprise Linux 6 as they did not include support for RAR archives.
RAR support added in libarchive v3.0.2 (see https://github.com/libarchive/libarchive/wiki/ReleaseNotes#libarchive-302).
Mitigation: No known mitigation.
(In reply to Riccardo Schirone from comment #9) > Mitigation: > > No known mitigation. What does "mitigation" mean here? Especially given, > Riccardo Schirone 2020-01-09 09:09:19 UTC > Fixed In Version: libarchive 3.4.0
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0203 https://access.redhat.com/errata/RHSA-2020:0203
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18408
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0246 https://access.redhat.com/errata/RHSA-2020:0246
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0271 https://access.redhat.com/errata/RHSA-2020:0271