Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.

According to the versions of the libarchive package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was found in libarchive. A specially     crafted MTREE file could cause a small out-of-bounds     read, potentially disclosing a small amount of     application memory.(CVE-2015-8925)

  - A vulnerability was found in libarchive. An attempt to     create an ISO9660 volume with 2GB or 4GB filenames     could cause the application to crash.(CVE-2016-6250)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application to read     memory beyond the end of the decompression     buffer.(CVE-2015-8934)

  - A vulnerability was found in libarchive's handling of     7zip data. A specially crafted 7zip file can cause a     integer overflow resulting in memory corruption that     can lead to code execution.(CVE-2016-4300)

  - A vulnerability was found in libarchive. A specially     crafted 7Z file could trigger a NULL pointer     dereference, causing the application to     crash.(CVE-2015-8922)

  - Undefined behavior (signed integer overflow) was     discovered in libarchive, in the ISO parser. A crafted     file could potentially cause denial of     service.(CVE-2016-5844)

  - A vulnerability was found in libarchive. A specially     crafted AR archive could cause the application to read     a single byte of application memory, potentially     disclosing it to the attacker.(CVE-2015-8920)

  - A vulnerability was found in libarchive. A specially     crafted mtree file could cause libarchive to read     beyond a statically declared structure, potentially     disclosing application memory.(CVE-2015-8921)

  - A vulnerability was found in libarchive. A specially     crafted LZA/LZH file could cause a small out-of-bounds     read, potentially disclosing a few bytes of application     memory.(CVE-2015-8919)

  - A vulnerability was found in libarchive. A specially     crafted ISO file could cause the application to consume     resources until it hit a memory limit, leading to a     crash or denial of service.(CVE-2015-8930)

  - A vulnerability was found in libarchive. A specially     crafted TAR file could trigger an out-of-bounds read,     potentially causing the application to disclose a small     amount of application memory.(CVE-2015-8924)

  - A vulnerability was found in libarchive. A specially     crafted MTREE file could cause a limited out-of-bounds     read, potentially disclosing contents of application     memory.(CVE-2015-8928)

  - A vulnerability was found in libarchive. A specially     crafted CAB file could cause the application     dereference a NULL pointer, leading to a     crash.(CVE-2015-8917)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application     dereference a NULL pointer, leading to a     crash.(CVE-2015-8916)

  - A vulnerability was found in libarchive's handling of     RAR archives. A specially crafted RAR file can cause a     heap overflow, potentially leading to code execution in     the context of the application.(CVE-2016-4302)

  - Undefined behavior (invalid left shift) was discovered     in libarchive, in how Compress streams are identified.
    This could cause certain files to be mistakenly     identified as Compress archives and fail to     read.(CVE-2015-8932)

  - A vulnerability was found in libarchive. A specially     crafted gzip file can cause libarchive to allocate     memory without limit, eventually leading to a     crash.(CVE-2016-7166)

  - Undefined behavior (signed integer overflow) was     discovered in libarchive, in the MTREE parser's     calculation of maximum and minimum dates. A crafted     mtree file could potentially cause denial of     service.(CVE-2015-8931)

  - A flaw was found in the way libarchive handled hardlink     archive entries of non-zero size. Combined with flaws     in libarchive's file system sandboxing, this issue     could cause an application using libarchive to     overwrite arbitrary files with arbitrary data from the     archive.(CVE-2016-5418)

  - Integer signedness error in the archive_write_zip_data     function in archive_write_set_format_zip.c in     libarchive 3.1.2 and earlier, when running on 64-bit     machines, allows context-dependent attackers to cause a     denial of service (crash) via unspecified vectors,     which triggers an improper conversion between unsigned     and signed types, leading to a buffer     overflow.(CVE-2013-0211)

  - A vulnerability was found in libarchive. A specially     crafted zip file can provide an incorrect compressed     size, which may allow an attacker to place arbitrary     code on the heap and execute it in the context of the     application.(CVE-2016-1541)

  - A vulnerability was found in libarchive. A specially     crafted cpio archive containing a symbolic link to a     ridiculously large target path can cause memory     allocation to fail, resulting in any attempt to view or     extract the archive crashing.(CVE-2016-4809)

  - A vulnerability was found in libarchive. A specially     crafted ZIP file could cause a few bytes of application     memory in a 256-byte region to be     disclosed.(CVE-2015-8923)

  - A vulnerability was found in libarchive. A specially     crafted RAR file could cause the application to     disclose a 128k block of memory from an uncontrolled     location.(CVE-2015-8926)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libarchive package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in the way libarchive handled hardlink     archive entries of non-zero size. Combined with flaws     in libarchive's file system sandboxing, this issue     could cause an application using libarchive to     overwrite arbitrary files with arbitrary data from the     archive. (CVE-2016-5418)

  - Multiple out-of-bounds write flaws were found in     libarchive.

  - Specially crafted ZIP, 7ZIP, or RAR files could cause a     heap overflow, potentially allowing code execution in     the context of the application using libarchive.
    (CVE-2016-1541, CVE-2016-4300, CVE-2016-4302)

  - Multiple out-of-bounds read flaws were found in     libarchive.

  - Specially crafted LZA/LZH, AR, MTREE, ZIP, TAR, or RAR     files could cause the application to read data out of     bounds, potentially disclosing a small amount of     application memory, or causing an application crash.
    (CVE-2015-8919, CVE-2015-8920, CVE-2015-8921,     CVE-2015-8923, CVE-2015-8924, CVE-2015-8925,     CVE-2015-8926, CVE-2015-8928, CVE-2015-8934)

  - Multiple NULL pointer dereference flaws were found in     libarchive.

  - Specially crafted RAR, CAB, or 7ZIP files could cause     an application using libarchive to crash.
    (CVE-2015-8916, CVE-2015-8917, CVE-2015-8922)

  - Multiple infinite loop / resource exhaustion flaws were     found in libarchive. Specially crafted GZIP or ISO     files could cause the application to consume an     excessive amount of resources, eventually leading to a     crash on memory exhaustion. (CVE-2016-7166,     CVE-2015-8930)

  - A denial of service vulnerability was found in     libarchive. A specially crafted CPIO archive containing     a symbolic link to a large target path could cause     memory allocation to fail, causing an application using     libarchive that attempted to view or extract such     archive to crash. (CVE-2016-4809)

  - An integer overflow flaw, leading to a buffer overflow,     was found in libarchive's construction of ISO9660     volumes. Attempting to create an ISO9660 volume with 2     GB or 4 GB file names could cause the application to     attempt to allocate 20 GB of memory. If this were to     succeed, it could lead to an out of bounds write on the     heap and potential code execution. (CVE-2016-6250)

  - Multiple instances of undefined behavior due to     arithmetic overflow were found in libarchive. Specially     crafted MTREE archives, Compress streams, or ISO9660     volumes could potentially cause the application to fail     to read the archive, or to crash. (CVE-2015-8931,     CVE-2015-8932, CVE-2016-5844)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201701-03 (libarchive: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libarchive. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted       archive file possibly resulting in the execution of arbitrary code with       the privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. (CVE-2016-5418)

Multiple out-of-bounds write flaws were found in libarchive. Specially crafted ZIP, 7ZIP, or RAR files could cause a heap overflow, potentially allowing code execution in the context of the application using libarchive. (CVE-2016-1541 , CVE-2016-4300 , CVE-2016-4302)

Multiple out-of-bounds read flaws were found in libarchive. Specially crafted LZA/LZH, AR, MTREE, ZIP, TAR, or RAR files could cause the application to read data out of bounds, potentially disclosing a small amount of application memory, or causing an application crash.
(CVE-2015-8919 , CVE-2015-8920 , CVE-2015-8921 , CVE-2015-8923 , CVE-2015-8924 , CVE-2015-8925 , CVE-2015-8926 , CVE-2015-8928 , CVE-2015-8934)

Multiple NULL pointer dereference flaws were found in libarchive.
Specially crafted RAR, CAB, or 7ZIP files could cause an application using libarchive to crash. (CVE-2015-8916 , CVE-2015-8917 , CVE-2015-8922)

Multiple infinite loop / resource exhaustion flaws were found in libarchive. Specially crafted GZIP or ISO files could cause the application to consume an excessive amount of resources, eventually leading to a crash on memory exhaustion. (CVE-2016-7166 , CVE-2015-8930)

A denial of service vulnerability was found in libarchive. A specially crafted CPIO archive containing a symbolic link to a large target path could cause memory allocation to fail, causing an application using libarchive that attempted to view or extract such archive to crash.
(CVE-2016-4809)

An integer overflow flaw, leading to a buffer overflow, was found in libarchive's construction of ISO9660 volumes. Attempting to create an ISO9660 volume with 2 GB or 4 GB file names could cause the application to attempt to allocate 20 GB of memory. If this were to succeed, it could lead to an out of bounds write on the heap and potential code execution. (CVE-2016-6250)

Multiple instances of undefined behavior due to arithmetic overflow were found in libarchive. Specially crafted MTREE archives, Compress streams, or ISO9660 volumes could potentially cause the application to fail to read the archive, or to crash. (CVE-2015-8931 , CVE-2015-8932 , CVE-2016-5844)

An update for libarchive is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers.

Security Fix(es) :

* A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive. (CVE-2016-5418)

* Multiple out-of-bounds write flaws were found in libarchive.
Specially crafted ZIP, 7ZIP, or RAR files could cause a heap overflow, potentially allowing code execution in the context of the application using libarchive. (CVE-2016-1541, CVE-2016-4300, CVE-2016-4302)

* Multiple out-of-bounds read flaws were found in libarchive.
Specially crafted LZA/LZH, AR, MTREE, ZIP, TAR, or RAR files could cause the application to read data out of bounds, potentially disclosing a small amount of application memory, or causing an application crash. (CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8923, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8934)

* Multiple NULL pointer dereference flaws were found in libarchive.
Specially crafted RAR, CAB, or 7ZIP files could cause an application using libarchive to crash. (CVE-2015-8916, CVE-2015-8917, CVE-2015-8922)

* Multiple infinite loop / resource exhaustion flaws were found in libarchive. Specially crafted GZIP or ISO files could cause the application to consume an excessive amount of resources, eventually leading to a crash on memory exhaustion. (CVE-2016-7166, CVE-2015-8930)

* A denial of service vulnerability was found in libarchive. A specially crafted CPIO archive containing a symbolic link to a large target path could cause memory allocation to fail, causing an application using libarchive that attempted to view or extract such archive to crash. (CVE-2016-4809)

* An integer overflow flaw, leading to a buffer overflow, was found in libarchive's construction of ISO9660 volumes. Attempting to create an ISO9660 volume with 2 GB or 4 GB file names could cause the application to attempt to allocate 20 GB of memory. If this were to succeed, it could lead to an out of bounds write on the heap and potential code execution. (CVE-2016-6250)

* Multiple instances of undefined behavior due to arithmetic overflow were found in libarchive. Specially crafted MTREE archives, Compress streams, or ISO9660 volumes could potentially cause the application to fail to read the archive, or to crash. (CVE-2015-8931, CVE-2015-8932, CVE-2016-5844)

Red Hat would like to thank Insomnia Security for reporting CVE-2016-5418.

Security Fix(es) :

  - A flaw was found in the way libarchive handled hardlink     archive entries of non-zero size. Combined with flaws in     libarchive's file system sandboxing, this issue could     cause an application using libarchive to overwrite     arbitrary files with arbitrary data from the archive.
    (CVE-2016-5418)

  - Multiple out-of-bounds write flaws were found in     libarchive. Specially crafted ZIP, 7ZIP, or RAR files     could cause a heap overflow, potentially allowing code     execution in the context of the application using     libarchive. (CVE-2016-1541, CVE-2016-4300,     CVE-2016-4302)

  - Multiple out-of-bounds read flaws were found in     libarchive. Specially crafted LZA/LZH, AR, MTREE, ZIP,     TAR, or RAR files could cause the application to read     data out of bounds, potentially disclosing a small     amount of application memory, or causing an application     crash. (CVE-2015-8919, CVE-2015-8920, CVE-2015-8921,     CVE-2015-8923, CVE-2015-8924, CVE-2015-8925,     CVE-2015-8926, CVE-2015-8928, CVE-2015-8934)

  - Multiple NULL pointer dereference flaws were found in     libarchive. Specially crafted RAR, CAB, or 7ZIP files     could cause an application using libarchive to crash.
    (CVE-2015-8916, CVE-2015-8917, CVE-2015-8922)

  - Multiple infinite loop / resource exhaustion flaws were     found in libarchive. Specially crafted GZIP or ISO files     could cause the application to consume an excessive     amount of resources, eventually leading to a crash on     memory exhaustion. (CVE-2016-7166, CVE-2015-8930)

  - A denial of service vulnerability was found in     libarchive. A specially crafted CPIO archive containing     a symbolic link to a large target path could cause     memory allocation to fail, causing an application using     libarchive that attempted to view or extract such     archive to crash. (CVE-2016-4809)

  - An integer overflow flaw, leading to a buffer overflow,     was found in libarchive's construction of ISO9660     volumes. Attempting to create an ISO9660 volume with 2     GB or 4 GB file names could cause the application to     attempt to allocate 20 GB of memory. If this were to     succeed, it could lead to an out of bounds write on the     heap and potential code execution. (CVE-2016-6250)

  - Multiple instances of undefined behavior due to     arithmetic overflow were found in libarchive. Specially     crafted MTREE archives, Compress streams, or ISO9660     volumes could potentially cause the application to fail     to read the archive, or to crash. (CVE-2015-8931,     CVE-2015-8932, CVE-2016-5844)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-1844 advisory.

    - Fixes variation of CVE-2016-5418: Hard links could include '..' in their path.
    - Fixes CVE-2016-5418: Archive Entry with type 1 (hardlink) causes file overwrite (#1365777)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x, 6.0.x prior to 6.0.12, 6.1.x prior to 6.1.11, 6.2.x prior to 6.2.11, 6.3.x prior to 6.3.6, or 6.4.x prior to 6.4.2; or else it is Splunk Light version 6.4.x prior to 6.4.2. It is, therefore, affected by the following vulnerabilities :

  - An integer signedness error exists in libarchive in the     archive_write_zip_data() function within file     archive_write_set_format_zip.c due to improper     conversion between unsigned and signed integer types     when running on 64-bit CPUs. An unauthenticated, remote     attacker can exploit this to cause a buffer overflow,     resulting in a denial of service condition.
    (CVE-2013-0211)

  - A path traversal vulnerability exists in libarchive in     the bsdcpio() function within file in cpio/cpio.c due to     improper sanitization of user-supplied input. An     unauthenticated, remote attacker can exploit this, via     a specially crafted path in an archive, to write to     arbitrary files. (CVE-2015-2304)

  - A heap-based buffer overflow condition exists in     libarchive in the zip_read_mac_metadata() function     within file archive_read_support_format_zip.c due to     improper sanitization of user-supplied input. An     unauthenticated, remote attacker can exploit this, via     specially crafted entry-size values in a ZIP archive, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-1541)

  - Multiple flaws exist in the OpenSSL library in the     aesni_cbc_hmac_sha1_cipher() function in file     crypto/evp/e_aes_cbc_hmac_sha1.c and the     aesni_cbc_hmac_sha256_cipher() function in file     crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered     when the connection uses an AES-CBC cipher and AES-NI     is supported by the server. A man-in-the-middle attacker     can exploit these to conduct a padding oracle attack,     resulting in the ability to decrypt the network traffic.
    (CVE-2016-2107)

  - An unspecified cross-site scripting (XSS) vulnerability     exists due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, via a specially crafted request, to execute     arbitrary script code in the user's browser session.

  - An unspecified cross-site redirection vulnerability     exists due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this, by convincing a user to visit a specially crafted     web link, to redirect the browser to an arbitrary     website of the attacker's own choosing.

Note that Splunk Enterprise 5.0.x will not be patched for OpenSSL issues, and it is recommended you upgrade to the latest version.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

fix manual pages to mention correctly spelled binary names (rhbz#1294252), fix CVE-2016-1541, rhbz#1334213

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libarchive fixes the following issue :

  - Fix a heap-based buffer overflow (CVE-2016-1541,     bsc#979005)

This update was imported from the SUSE:SLE-12:Update update project.

This update for libarchive fixes the following issue :

  - Fix a heap-based buffer overflow (CVE-2016-1541,     bsc#979005)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libarchive fixes the following issue :

  - Fix a heap-based buffer overflow (CVE-2016-1541,     bsc#979005)

New libarchive packages are available for Slackware 14.1 and -current to fix a security issue.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2981-1 advisory.

    It was discovered that libarchive incorrectly handled certain entry-size values in ZIP archives. A remote     attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly     execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS.
    (CVE-2016-1541)

    It was discovered that libarchive incorrectly handled memory when processing certain tar files. A remote     attacker could use this issue to cause libarchive to crash, resulting in a denial of service. (CVE number     pending)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Rock Stevens, Andrew Ruef and Marcin 'Icewall' Noga discovered a heap-based buffer overflow vulnerability in the zip_read_mac_metadata function in libarchive, a multi-format archive and compression library, which may lead to the execution of arbitrary code if a user or automated system is tricked into processing a specially crafted ZIP file.

The libarchive project reports :

Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive.

ID	Name	Product	Family	Severity
124794	EulerOS Virtualization 3.0.1.0 : libarchive (EulerOS-SA-2019-1470)	Nessus	Huawei Local Security Checks	high
99808	EulerOS 2.0 SP1 : libarchive (EulerOS-SA-2016-1045)	Nessus	Huawei Local Security Checks	high
96234	GLSA-201701-03 : libarchive: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
93744	Amazon Linux AMI : libarchive (ALAS-2016-743)	Nessus	Amazon Linux Local Security Checks	high
93541	CentOS 7 : libarchive (CESA-2016:1844)	Nessus	CentOS Local Security Checks	high
93454	Scientific Linux Security Update : libarchive on SL7.x x86_64 (20160912)	Nessus	Scientific Linux Local Security Checks	high
93450	RHEL 7 : libarchive (RHSA-2016:1844)	Nessus	Red Hat Local Security Checks	high
93446	Oracle Linux 7 : libarchive (ELSA-2016-1844)	Nessus	Oracle Linux Local Security Checks	high
92790	Splunk Enterprise < 5.0.16 / 6.0.12 / 6.1.11 / 6.2.11 / 6.3.6 / 6.4.2 or Splunk Light < 6.4.2 Multiple Vulnerabilities	Nessus	CGI abuses	high
92122	Fedora 23 : libarchive (2016-8491ec1ebd)	Nessus	Fedora Local Security Checks	high
92112	Fedora 24 : libarchive (2016-760bd8b6a5)	Nessus	Fedora Local Security Checks	high
92061	Fedora 22 : libarchive (2016-19c34099d3)	Nessus	Fedora Local Security Checks	high
91795	openSUSE Security Update : libarchive (openSUSE-2016-762)	Nessus	SuSE Local Security Checks	high
91667	SUSE SLED12 / SLES12 Security Update : libarchive (SUSE-SU-2016:1588-1)	Nessus	SuSE Local Security Checks	high
91482	openSUSE Security Update : libarchive (openSUSE-2016-670)	Nessus	SuSE Local Security Checks	high
91312	Slackware 14.1 / current : libarchive (SSA:2016-145-01)	Nessus	Slackware Local Security Checks	high
91219	Ubuntu 14.04 LTS / 16.04 LTS : libarchive vulnerabilities (USN-2981-1)	Nessus	Ubuntu Local Security Checks	high
91052	Debian DSA-3574-1 : libarchive - security update	Nessus	Debian Local Security Checks	high
91026	FreeBSD : libarchive -- RCE vulnerability (2b4c8e1f-1609-11e6-b55e-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-1541

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high