Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - libarchive: directory traversal in bsdcpio (CVE-2015-2304)

  - libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service     (CVE-2019-1000020)

  - Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in     libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause     a denial of service (crash) via unspecified vectors, which triggers an improper conversion between     unsigned and signed types, leading to a buffer overflow. (CVE-2013-0211)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

According to the versions of the libarchive package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in libarchive. A specially     crafted MTREE file could cause a small out-of-bounds     read, potentially disclosing a small amount of     application memory.(CVE-2015-8925)

  - A vulnerability was found in libarchive. An attempt to     create an ISO9660 volume with 2GB or 4GB filenames     could cause the application to crash.(CVE-2016-6250)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application to read     memory beyond the end of the decompression     buffer.(CVE-2015-8934)

  - A vulnerability was found in libarchive's handling of     7zip data. A specially crafted 7zip file can cause a     integer overflow resulting in memory corruption that     can lead to code execution.(CVE-2016-4300)

  - A vulnerability was found in libarchive. A specially     crafted 7Z file could trigger a NULL pointer     dereference, causing the application to     crash.(CVE-2015-8922)

  - Undefined behavior (signed integer overflow) was     discovered in libarchive, in the ISO parser. A crafted     file could potentially cause denial of     service.(CVE-2016-5844)

  - A vulnerability was found in libarchive. A specially     crafted AR archive could cause the application to read     a single byte of application memory, potentially     disclosing it to the attacker.(CVE-2015-8920)

  - A vulnerability was found in libarchive. A specially     crafted mtree file could cause libarchive to read     beyond a statically declared structure, potentially     disclosing application memory.(CVE-2015-8921)

  - A vulnerability was found in libarchive. A specially     crafted LZA/LZH file could cause a small out-of-bounds     read, potentially disclosing a few bytes of application     memory.(CVE-2015-8919)

  - A vulnerability was found in libarchive. A specially     crafted ISO file could cause the application to consume     resources until it hit a memory limit, leading to a     crash or denial of service.(CVE-2015-8930)

  - A vulnerability was found in libarchive. A specially     crafted TAR file could trigger an out-of-bounds read,     potentially causing the application to disclose a small     amount of application memory.(CVE-2015-8924)

  - A vulnerability was found in libarchive. A specially     crafted MTREE file could cause a limited out-of-bounds     read, potentially disclosing contents of application     memory.(CVE-2015-8928)

  - A vulnerability was found in libarchive. A specially     crafted CAB file could cause the application     dereference a NULL pointer, leading to a     crash.(CVE-2015-8917)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application     dereference a NULL pointer, leading to a     crash.(CVE-2015-8916)

  - A vulnerability was found in libarchive's handling of     RAR archives. A specially crafted RAR file can cause a     heap overflow, potentially leading to code execution in     the context of the application.(CVE-2016-4302)

  - Undefined behavior (invalid left shift) was discovered     in libarchive, in how Compress streams are identified.
    This could cause certain files to be mistakenly     identified as Compress archives and fail to     read.(CVE-2015-8932)

  - A vulnerability was found in libarchive. A specially     crafted gzip file can cause libarchive to allocate     memory without limit, eventually leading to a     crash.(CVE-2016-7166)

  - Undefined behavior (signed integer overflow) was     discovered in libarchive, in the MTREE parser's     calculation of maximum and minimum dates. A crafted     mtree file could potentially cause denial of     service.(CVE-2015-8931)

  - A flaw was found in the way libarchive handled hardlink     archive entries of non-zero size. Combined with flaws     in libarchive's file system sandboxing, this issue     could cause an application using libarchive to     overwrite arbitrary files with arbitrary data from the     archive.(CVE-2016-5418)

  - Integer signedness error in the archive_write_zip_data     function in archive_write_set_format_zip.c in     libarchive 3.1.2 and earlier, when running on 64-bit     machines, allows context-dependent attackers to cause a     denial of service (crash) via unspecified vectors,     which triggers an improper conversion between unsigned     and signed types, leading to a buffer     overflow.(CVE-2013-0211)

  - A vulnerability was found in libarchive. A specially     crafted zip file can provide an incorrect compressed     size, which may allow an attacker to place arbitrary     code on the heap and execute it in the context of the     application.(CVE-2016-1541)

  - A vulnerability was found in libarchive. A specially     crafted cpio archive containing a symbolic link to a     ridiculously large target path can cause memory     allocation to fail, resulting in any attempt to view or     extract the archive crashing.(CVE-2016-4809)

  - A vulnerability was found in libarchive. A specially     crafted ZIP file could cause a few bytes of application     memory in a 256-byte region to be     disclosed.(CVE-2015-8923)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application to     disclose a 128k block of memory from an uncontrolled     location.(CVE-2015-8926)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x, 6.0.x prior to 6.0.12, 6.1.x prior to 6.1.11, 6.2.x prior to 6.2.11, 6.3.x prior to 6.3.6, or 6.4.x prior to 6.4.2; or else it is Splunk Light version 6.4.x prior to 6.4.2. It is, therefore, affected by the following vulnerabilities :

  - An integer signedness error exists in libarchive in the     archive_write_zip_data() function within file     archive_write_set_format_zip.c due to improper     conversion between unsigned and signed integer types     when running on 64-bit CPUs. An unauthenticated, remote     attacker can exploit this to cause a buffer overflow,     resulting in a denial of service condition.
    (CVE-2013-0211)

  - A path traversal vulnerability exists in libarchive in     the bsdcpio() function within file in cpio/cpio.c due to     improper sanitization of user-supplied input. An     unauthenticated, remote attacker can exploit this, via     a specially crafted path in an archive, to write to     arbitrary files. (CVE-2015-2304)

  - A heap-based buffer overflow condition exists in     libarchive in the zip_read_mac_metadata() function     within file archive_read_support_format_zip.c due to     improper sanitization of user-supplied input. An     unauthenticated, remote attacker can exploit this, via     specially crafted entry-size values in a ZIP archive, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-1541)

  - Multiple flaws exist in the OpenSSL library in the     aesni_cbc_hmac_sha1_cipher() function in file     crypto/evp/e_aes_cbc_hmac_sha1.c and the     aesni_cbc_hmac_sha256_cipher() function in file     crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered     when the connection uses an AES-CBC cipher and AES-NI     is supported by the server. A man-in-the-middle attacker     can exploit these to conduct a padding oracle attack,     resulting in the ability to decrypt the network traffic.
    (CVE-2016-2107)

  - An unspecified cross-site scripting (XSS) vulnerability     exists due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via a specially crafted request, to execute     arbitrary script code in the user's browser session.

  - An unspecified cross-site redirection vulnerability     exists due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, by convincing a user to visit a specially crafted     web link, to redirect the browser to an arbitrary     website of the attacker's own choosing.

Note that Splunk Enterprise 5.0.x will not be patched for OpenSSL issues, and it is recommended you upgrade to the latest version.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

MITRE reports :

Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.

Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.

Libarchive issue tracker reports :

Using a crafted tar file bsdtar can perform an out-of-bounds memory read which will lead to a SEGFAULT. The issue exists when the executable skips data in the archive. The amount of data to skip is defined in byte offset [16-19] If ASLR is disabled, the issue can lead to an infinite loop.

libarchive was updated to fix a directory traversal in the bsdcpio tool, which allowed attackers supplying crafted archives to overwrite files. (CVE-2015-2304)

Also, a integer overflow was fixed that could also overflow buffers.
(CVE-2013-0211)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2549-1 advisory.

    It was discovered that the libarchive bsdcpio utility extracted absolute paths by default without using     the --insecure flag, contrary to expectations. If a user or automated system were tricked into extracting     cpio archives containing absolute paths, a remote attacker may be able to write to arbitrary files.
    (CVE-2015-2304)

    Fabian Yamaguchi discovered that libarchive incorrectly handled certain type conversions. A remote     attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service.
    This issue only affected Ubuntu 12.04 LTS. (CVE-2013-0211)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

libarchive was updated to fix a directory traversal in the bsdcpio tool, which allowed attackers supplying crafted archives to overwrite files. (CVE-2015-2304)

Also, a integer overflow was fixed that could also overflow buffers.
(CVE-2013-0211)

The remote host is affected by the vulnerability described in GLSA-201406-02 (libarchive: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libarchive. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user or automated process to open a       specially crafted archive using an application linked against libarchive,       possibly resulting in execution of arbitrary code with the privileges of       the process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

A vulnerability has been found and corrected in libarchive :

Fabian Yamaguchi reported a read buffer overflow flaw in libarchive on 64-bit systems where sizeof(size_t) is equal to 8. In the archive_write_zip_data() function in libarchive/ archive_write_set_format_zip.c, the 's' parameter is of type size_t (64 bit, unsigned) and is cast to a 64 bit signed integer. If 's' is larger than MAX_INT, it will not be set to 'zip->remaining_data_bytes' even though it is larger than 'zip->remaining_data_bytes', which leads to a buffer overflow when calling deflate(). This can lead to a segfault in an application that uses libarchive to create ZIP archives (CVE-2013-0211).

The updated packages have been patched to correct this issue.

This update fixes CVE-2013-0211 libarchive: read buffer overflow on 64-bit systems

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes CVE-2013-0211 libarchive: read buffer overflow on 64-bit systems.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
198966	RHEL 6 : libarchive (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	medium
124794	EulerOS Virtualization 3.0.1.0 : libarchive (EulerOS-SA-2019-1470)	Nessus	Huawei Local Security Checks	high
92790	Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities	Nessus	CGI abuses	high
87984	FreeBSD : libarchive -- multiple vulnerabilities (7c63775e-be31-11e5-b5fe-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium
83710	SUSE SLED12 / SLES12 Security Update : libarchive (SUSE-SU-2015:0667-1)	Nessus	SuSE Local Security Checks	medium
82268	Ubuntu 14.04 LTS : libarchive vulnerabilities (USN-2549-1)	Nessus	Ubuntu Local Security Checks	high
82012	openSUSE Security Update : libarchive (openSUSE-2015-248)	Nessus	SuSE Local Security Checks	medium
74259	GLSA-201406-02 : libarchive: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
66157	Mandriva Linux Security Advisory : libarchive (MDVSA-2013:147)	Nessus	Mandriva Local Security Checks	medium
65954	Fedora 18 : libarchive-3.0.4-4.fc18 (2013-4537)	Nessus	Fedora Local Security Checks	medium
65953	Fedora 17 : libarchive-3.0.4-3.fc17 (2013-4522)	Nessus	Fedora Local Security Checks	medium
65838	Fedora 18 : mingw-libarchive-3.0.4-4.fc18 (2013-4592)	Nessus	Fedora Local Security Checks	medium
65837	Fedora 17 : mingw-libarchive-3.0.4-4.fc17 (2013-4576)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2013-0211

high

Tenable Plugins

medium

high

high

medium

medium

high

medium

high

medium

medium

medium

medium

medium