Libarchive Heap Buffer Over-Read Vulnerability in LZSS Decompression

A heap buffer over-read vulnerability has been identified in the libarchive library, prior to version 3.8.0. This issue arises in the RAR file format handling, specifically within the 'copy_from_lzss_window' function. The vulnerability occurs because the size of a filter block can exceed the Lempel-Ziv-Storer-Schieber (LZSS) window, leading the library to read beyond the allocated memory buffer. This over-read can cause unpredictable program behavior, crashes, or the disclosure of sensitive information from adjacent memory regions.

Impact

Exploitation of this vulnerability can cause a heap buffer over-read, leading to a denial-of-service condition or the unintentional disclosure of sensitive information from memory.

Reproduction

The vulnerability can be reproduced by processing a specially crafted RAR archive that contains a filter block size larger than the LZSS window, which is determined by the dictionary size derived from the unpacked file size. When the archive is decompressed, the library's dictionary size calculation allows for an LZSS window of 64 bytes. However, if the compressed data indicates a filter block size of 252 bytes, it will trigger the heap out-of-bounds read by reading more data from the LZSS window than is available, thus exploiting the vulnerability.

Remediation

Users can upgrade to libarchive version 3.8.0 or later, where this vulnerability has been fixed.