CVE-2022-26280: The libarchive lib exist a READ memory access Vulnerability · Issue #1672 · libarchive/libarchive

hello,i have discussed with security engineer from liblzma,the vulnerability may caused by zipx_lzma_alone_init().if you have time,please debug to check it.look forward to you reply thanks. The Message records bellow: On 2022-03-18 jun ma wrote: > oh，thanks for your reply ，i have debuged it using gdb and discussed > with security  engineer from libarchive,it > > high possibility caused by liblzma.when you have time, hope you can > take some time to have a look.thanks! The problem is that lzma_code() is called with lzma_stream.avail_in set to 18446744073709551607 which equals -9 when interpret as a signed value. That is, it’s a bug in libarchive. I attached a patch that adds a few fprintf() calls to libarchive which show how the incorrect value comes from zipx_lzma_alone_init() but I didn’t debug how to fix it. Here is the output: DEBUG: libarchive/archive_read_support_format_zip.c:1607: init DEBUG: libarchive/archive_read_support_format_zip.c:1728: zip->entry_bytes_remaining = 1 DEBUG: libarchive/archive_read_support_format_zip.c:1859: zip->entry_bytes_remaining = 1, bytes_avail = 94559 DEBUG: libarchive/archive_read_support_format_zip.c:1916: zip->entry_bytes_remaining = 1, to_consume = 1 DEBUG: libarchive/archive_read_support_format_zip.c:1607: init DEBUG: libarchive/archive_read_support_format_zip.c:1728: zip->entry_bytes_remaining = 1 DEBUG: libarchive/archive_read_support_format_zip.c:1859: zip->entry_bytes_remaining = 1, bytes_avail = 94501 DEBUG: libarchive/archive_read_support_format_zip.c:1916: zip->entry_bytes_remaining = 1, to_consume = 1 DEBUG: libarchive/archive_read_support_format_zip.c:1607: init DEBUG: libarchive/archive_read_support_format_zip.c:1728: zip->entry_bytes_remaining = -9 DEBUG: libarchive/archive_read_support_format_zip.c:1859: zip->entry_bytes_remaining = -9, bytes_avail = 94443 Can you forward the above information to libarchive developers? Thank you for your effort to look for bugs and reporting them! Two minor things for the future: I understand that sending the bad .zip file directly as an attachment doesn’t work for some destinations because antivirus products can block such emails (GMail does). I could extract the .rar with 7z from p7zip so it wasn’t a problem for me, but in general free software developers prefer exchanging information using fully open formats like .zip, .7z, or .tar + some compressor. .zip with its very old (and insecure) encryption is supported widely. I tested this with GMail:     zip -e badfile.zip badfile.bin  # password set to 123456 This worked. Without encryption it was rejected. I think the filename inside the encrypted .zip must be something like .bin instead of .zip since filenames aren’t encrypted. The second thing is that I did receive the email with the subject crash-58af2238755ec09600f15fed6e3e606c09638f42 but I wasn’t on my computer during those days, so I was slow to reply, sorry. (My email provider doesn’t block attachments as easily as GMail does.) The email contained a 46-megabyte attachment (base64-encoded size) which I suppose was the test program binary. That is a fairly big file to attach and most people (me included) won’t run binaries received in email. Again, thanks for your help in finding and reporting bugs!

…

– Lasse Collin

------------------ 原始邮件 ------------------ 发件人: “马骏” ***@***.***>; 发送时间: 2022年3月4日(星期五) 下午5:15 ***@***.***>; 主题: 回复：转发：回复： [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) Please ask if this vulnerability has been confirmed

------------------ 原始邮件 ------------------ 发件人: “马骏” ***@***.***>; 发送时间: 2022年3月4日(星期五) 上午10:33 ***@***.***>; 主题: 回复：转发：回复： [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) Please ask if this vulnerability has been confirmed

------------------ 原始邮件 ------------------ 发件人: “马骏” ***@***.***>; 发送时间: 2022年2月26日(星期六) 晚上6:31 ***@***.***>; 主题: 转发：回复： [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) i have send this mail ,you can see this

—原始邮件— 发件人: ***@***.***> 发送时间: 2022年2月26日(周六) 下午5:45 收件人: ***@***.***>; 主题: 回复： [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) hello,the testcase 、 source file 、crash file see the attachments。Besides，i have Submit cve aim at this question

------------------ 原始邮件 ------------------ 发件人: “libarchive/libarchive” ***@***.***>; 发送时间: 2022年2月26日(星期六) 下午5:12 ***@***.***>; ***@***.******@***.***>; 主题: Re: [libarchive/libarchive] The libarchive lib exist a READ memory access Vulnerability (Issue #1672) @icycityone what we need is a sample test file to reproduce the vulnerability — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: ***@***.***>