CVE-2015-8932 in libarchive
Summary
by MITRE
The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/19/2022
The vulnerability identified as CVE-2015-8932 represents a critical denial of service flaw within the libarchive library version 3.1.5 and earlier. This issue resides in the compress_bidder_init function located within the archive_read_support_filter_compress.c source file, making it accessible through the library's archive reading capabilities. The vulnerability specifically affects applications that utilize libarchive for processing compressed archive files, particularly tar archives that employ compress compression. The flaw manifests when processing maliciously crafted tar files that contain specially constructed compress data, leading to a system crash or application termination.
The technical root cause of this vulnerability stems from an improper handling of bit shift operations within the compress_bidder_init function. When the library encounters a crafted tar file, it attempts to perform an invalid left shift operation on a value that exceeds the acceptable bit width for the data type being manipulated. This condition results in undefined behavior and ultimately causes the application to crash. The vulnerability is classified as a software defect that arises from insufficient input validation and improper boundary checking during decompression operations. According to CWE guidelines, this corresponds to CWE-129, which describes improper validation of array index or buffer bounds, and CWE-755, which covers the improper handling of a resource during error conditions.
The operational impact of CVE-2015-8932 extends beyond simple application crashes, as it can be exploited by remote attackers to disrupt services that depend on libarchive functionality. Systems processing untrusted archive files, including web servers, file processing applications, and automated backup systems, become vulnerable to this attack vector. The exploit requires minimal privileges and can be executed through simple file manipulation, making it particularly dangerous in environments where automated file processing occurs. This vulnerability particularly affects applications implementing the ATT&CK technique T1204.002, which involves user execution of malicious files, as attackers can craft tar files designed to trigger the crash during normal file processing operations. The vulnerability affects a wide range of software including but not limited to file managers, backup utilities, web applications that handle file uploads, and content delivery systems that process compressed archives.
Mitigation strategies for CVE-2015-8932 primarily involve upgrading to libarchive version 3.2.0 or later, where the vulnerability has been resolved through proper input validation and boundary checking. System administrators should prioritize patching affected applications that rely on libarchive, particularly those handling untrusted file inputs. Additionally, implementing proper input sanitization and validation measures can provide defense in depth, ensuring that even if the library is not immediately updated, malicious files are detected and rejected before reaching the vulnerable code path. Network-level protections such as content filtering and file type validation can also help prevent exploitation by blocking suspicious archive files. Organizations should also consider implementing monitoring and alerting for application crashes or unexpected terminations, as these events may indicate exploitation attempts. The fix implemented in libarchive 3.2.0 addresses the core issue by ensuring that bit shift operations are properly validated against acceptable ranges, preventing the invalid left shift that previously caused the crash.