1769979 – (CVE-2019-18408) CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry

Bug 1769979 (CVE-2019-18408) - CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry

Summary: CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_dat...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-18408
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1769980 1769981 1769982 1789502 1789503 1789505 1789506 1789507
Blocks:	1769983
TreeView+	depends on / blocked

Reported:	2019-11-07 20:39 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-09-07 20:57 UTC (History)
CC List:	12 users (show)
Fixed In Version:	libarchive 3.4.0
Clone Of:
Environment:
Last Closed:	2020-01-22 20:09:31 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:0208	None	None	None	2020-01-23 03:04:11 UTC
Red Hat Product Errata	RHBA-2020:0221	None	None	None	2020-01-23 17:38:24 UTC
Red Hat Product Errata	RHBA-2020:0276	None	None	None	2020-01-29 12:28:49 UTC
Red Hat Product Errata	RHBA-2020:0280	None	None	None	2020-01-29 14:54:03 UTC
Red Hat Product Errata	RHBA-2020:0281	None	None	None	2020-01-29 15:08:59 UTC
Red Hat Product Errata	RHBA-2020:0294	None	None	None	2020-01-30 09:09:52 UTC
Red Hat Product Errata	RHBA-2020:0298	None	None	None	2020-01-30 11:01:42 UTC
Red Hat Product Errata	RHBA-2020:0299	None	None	None	2020-01-30 10:55:38 UTC
Red Hat Product Errata	RHBA-2020:0304	None	None	None	2020-01-30 15:44:22 UTC
Red Hat Product Errata	RHBA-2020:0315	None	None	None	2020-02-03 01:41:16 UTC
Red Hat Product Errata	RHBA-2020:0662	None	None	None	2020-03-03 21:25:13 UTC
Red Hat Product Errata	RHSA-2020:0203	None	None	None	2020-01-22 14:09:34 UTC
Red Hat Product Errata	RHSA-2020:0246	None	None	None	2020-01-27 20:26:44 UTC
Red Hat Product Errata	RHSA-2020:0271	None	None	None	2020-01-29 07:59:23 UTC

Description Guilherme de Almeida Suckevicz 2019-11-07 20:39:12 UTC

archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.

Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689

Upstream commit:
https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60

Comment 1 Guilherme de Almeida Suckevicz 2019-11-07 20:39:31 UTC

Created libarchive tracking bugs for this issue:

Affects: fedora-all [bug 1769980]


Created libarchive3 tracking bugs for this issue:

Affects: epel-6 [bug 1769982]


Created mingw-libarchive tracking bugs for this issue:

Affects: fedora-all [bug 1769981]

Comment 4 Riccardo Schirone 2020-01-09 08:55:36 UTC

While reading data from a RAR file in function archive_read_format_rar_read_data(), if the compression method used is COMPRESS_METHOD_BEST and there is an error while reading the compressed data, the rar->ppmd7_context is freed, but the logic is not instructed to not use that data for next compression entries. This leads to a use-after-free vulnerability in function read_data_compressed(), when rar->ppmd7_context is used again.

An application that uses libarchive to decompress untrusted RAR files may be vulnerable to this flaw, which would allow a remote attacker to cause the program to crash or possibly execute arbitrary code.

Comment 6 Riccardo Schirone 2020-01-09 17:52:38 UTC

Statement:

This issue did not affect the versions of libarchive as shipped with Red Hat Enterprise Linux 6 as they did not include support for RAR archives.

Comment 8 Riccardo Schirone 2020-01-09 18:03:21 UTC

RAR support added in libarchive v3.0.2 (see https://github.com/libarchive/libarchive/wiki/ReleaseNotes#libarchive-302).

Comment 9 Riccardo Schirone 2020-01-09 18:12:51 UTC

Mitigation:

No known mitigation.

Comment 10 Rick 2020-01-09 19:32:16 UTC

(In reply to Riccardo Schirone from comment #9)
> Mitigation:
> 
> No known mitigation.

What does "mitigation" mean here? 

Especially given,

> Riccardo Schirone 2020-01-09 09:09:19 UTC
> Fixed In Version: libarchive 3.4.0

Comment 11 errata-xmlrpc 2020-01-22 14:09:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0203 https://access.redhat.com/errata/RHSA-2020:0203

Comment 12 Product Security DevOps Team 2020-01-22 20:09:31 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18408

Comment 13 errata-xmlrpc 2020-01-27 20:26:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0246 https://access.redhat.com/errata/RHSA-2020:0246

Comment 15 errata-xmlrpc 2020-01-29 07:59:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0271 https://access.redhat.com/errata/RHSA-2020:0271

Note You need to log in before you can comment on or make changes to this bug.