Looks like those fixed landed now, https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-1000877.html
** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2018-1000877 ** Changed in: libarchive (Ubuntu) Importance: Undecided => High ** Changed in: libarchive (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libarchive in Ubuntu. https://bugs.launchpad.net/bugs/1794909 Title: Memory corruption in RAR decoder Status in libarchive package in Ubuntu: Fix Released Bug description: Hi, There are some crashes and memory corruption issues in libarchive's RAR decoder. Most notably, I have observed some double-frees and heap use-after-frees, both reading and writing. These have not been detected by previous fuzzing runs because of the CRC checks in the RAR parser. The memory corruption seems to arise in ppmd7 decoding. The code can be made to read and write addresses that are at least partially attacker controlled, but the decoder is complex and I don't have the time to investigate fully whether the level of control is sufficient to lead to code execution. My gut feeling is that someone more skilled than I could cause arbitrary code execution, but I cannot say for certain. This bug can be used to crash bsdtar and other programs that use libarchive, such as file-roller. I have attached some test cases that demonstrate this. They run as follows: xxd -r testcase.rar.txt testcase.rar bsdtar -Oxf testcase.rar The test cases are: - oob-read.txt - Ppmd7_DecodeSymbol does an out-of-bounds read and crashes. (No UAF.) - uaf-read.txt - this heap UAF causes an out-of-bounds read in Ppmd7_DecodeSymbol and crashes. - double-free.txt - this test case causes a double-free - uaf-rw.txt - this shows reads and writes into a previously freed heap region. I've tested all of these on the version of bsdtar that ships with Ubuntu 18.04 Bionic and also with a build of libarchive from git. My analysis of their behaviour comes from running them under valgrind and ASAN. If you have any trouble reproducing them let me know. The crashes were found with afl-fuzz and the FairFuzz extension. I've also reported this to the OSS-Fuzz contacts for the upstream project. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
