Bug 1166330 (CVE-2019-20509) - VUL-1: CVE-2019-20509: libarchive: insufficient validation of UTF-16 input by the LHA decoder can lead to a heap-based buffer over-read and application crash
Summary: VUL-1: CVE-2019-20509: libarchive: insufficient validation of UTF-16 input by...
Status: RESOLVED FIXED
Alias: CVE-2019-20509
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/254546/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-20509:4.3:(AV...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-11 08:25 UTC by Wolfgang Frisch
Modified: 2024-07-04 07:23 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
HeadOverflow1 (PoC LHA archive) (79 bytes, application/octet-stream)
2020-03-11 09:16 UTC, Wolfgang Frisch 		Details
HeadOverflow2 (PoC LHA archive) (38 bytes, application/octet-stream)
2020-03-11 09:16 UTC, Wolfgang Frisch 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-03-11 08:25:03 UTC 
CVE-2019-20509

archive_read_support_format_lha.c in libarchive before 3.4.1 does not ensure
valid sizes for UTF-16 input, which allows remote attackers to cause a denial of
service (heap-based buffer over-read and application crash) via a crafted LHA
archive.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20509
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20509.html
https://github.com/libarchive/libarchive/issues/1284
https://github.com/libarchive/libarchive/compare/v3.4.0...v3.4.1
https://github.com/libarchive/libarchive/commit/91cf9372e89f7af4582964b15ceb7fc6d1b37471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20509
Comment 1 Wolfgang Frisch 2020-03-11 09:14:52 UTC 
SUSE:SLE-12:Update   libarchive   Affected
SUSE:SLE-15:Update   libarchive   Affected

Factory and SLE-15-SP2 are already fixed.
Comment 2 Wolfgang Frisch 2020-03-11 09:16:16 UTC 
Created attachment 832516 [details]
HeadOverflow1 (PoC LHA archive)
Comment 3 Wolfgang Frisch 2020-03-11 09:16:33 UTC 
Created attachment 832517 [details]
HeadOverflow2 (PoC LHA archive)
Comment 4 Wolfgang Frisch 2020-03-11 09:17:40 UTC 
QA REPRODUCER:
valgrind --tool=memcheck bsdtar -tf HeadOverflow1

Unfixed:
Conditional jump or move depends on uninitialised value(s)
   at 0x4C34EE0: bcmp (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x560B08A: ??? (in /usr/lib64/libcrypto.so.1.1)
   by 0x560A235: FIPS_selftest (in /usr/lib64/libcrypto.so.1.1)
   by 0x560509C: ??? (in /usr/lib64/libcrypto.so.1.1)
   by 0x5618FE0: FIPS_mode_set (in /usr/lib64/libcrypto.so.1.1)
   by 0x551E16A: ??? (in /usr/lib64/libcrypto.so.1.1)
   by 0x400FBF9: call_init.part.0 (dl-init.c:72)
   by 0x400FD05: call_init (dl-init.c:119)
   by 0x400FD05: _dl_init (dl-init.c:120)
   by 0x4000ED9: ??? (in /lib64/ld-2.26.so)
   by 0x2: ???
   by 0x1FFF0005A2: ???
   by 0x1FFF0005A9: ???
[...]

Fixed:
ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Comment 5 Adrian Schröter 2021-11-09 07:54:06 UTC 
sle 12 is not affected, since libarchive 3.x had no UTF-16 support.

Do you still need an update for SLE 15 SP0 or is SP2 enough?
Comment 6 Wolfgang Frisch 2024-07-04 07:23:15 UTC 
This bug had been lost in the ether.

(In reply to Adrian Schröter from comment #5)
> sle 12 is not affected, since libarchive 3.x had no UTF-16 support.
Thank you for checking.

> Do you still need an update for SLE 15 SP0 or is SP2 enough?
All good, thanks.

SLE-12/libarchive: Not affected
SLE-15/libarchive: EOL
SLE-15-SP2/libarchive: Already fixed