libarchive Heap-Based Buffer Over-Read Vulnerability in TAR Archive Handling

A heap-based buffer over-read vulnerability has been identified in libarchive versions through 3.7.7. The issue arises in the header_gnu_longlink function within archive_read_support_format_tar.c, where the library improperly manages truncation in the middle of a GNU long linkname while processing TAR archives. This mismanagement can lead to a heap-buffer-overflow error, as demonstrated by AddressSanitizer.

Impact

Exploitation of this vulnerability causes a heap-based buffer over-read, leading to a heap-buffer-overflow error. Such heap-buffer-overflow vulnerabilities can often be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by extracting a specially crafted TAR archive using bsdtar. The archive must include a long linkname header that is intentionally truncated, causing libarchive to mishandle the linkname processing. This can be done by creating a TAR file with a long linkname that exceeds the normal length, then truncating the archive before it is fully written.

Remediation

Users can upgrade to libarchive version 3.7.8 or later, where this vulnerability has been fixed.