Libarchive Off-By-One Write Overflow Vulnerability in USTAR Entry Handling

A vulnerability exists in the libarchive library prior to version 3.8.0, involving an off-by-one error in the build_ustar_entry_name function. This miscalculation of prefixes and suffixes can cause a one-byte write overflow, potentially corrupting adjacent memory. Such memory corruption may lead to unpredictable program behavior, crashes, or, in certain situations, could be exploited for more complex attacks.

Impact

Exploitation of this vulnerability causes a one-byte write overflow, leading to memory corruption that can disrupt program execution or be used as a stepping stone for further exploitation.

Reproduction

The vulnerability can be reproduced by creating a directory structure and using bsdtar to archive it, while intentionally adding excessive suffixes to the file name. This can be done by compiling bsdtar with Address Sanitizer, which will detect the buffer overflow. Alternatively, the overflow can be observed on a CHERI capability system, which faults immediately upon such an error.

Remediation

Users can upgrade to libarchive version 3.8.0 or later, where this vulnerability has been fixed.