oss-sec mailing list archives
Re: Pointer misuse unziping files with busybox
From: cve-assign () mitre org
Date: Tue, 3 Nov 2015 16:00:46 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44eUnziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address.
BusyBox wouldn't realistically be used for deployment of a program that remains running to offer an unzipping service to multiple clients.
There are several distributions including Alpine Linux, widely used in container environments, which by default use busybox to provide the unzip utility. Unzipping of any files downloaded by the user, possibly from untrusted sources, may be affected. I believe CVE is appropriate for user-facing programs commonly used to open untrusted files even without an automated process accepting and processing potentially-malicious files from a client.
We'll try to add some information about what we're looking for. 1. If the product were a library that decompresses untrusted files, then the existence of a crash would be enough to assign a CVE ID. The rationale is that a library might have been used to develop a program that needs to remain running even after one bad file is encountered. 2. Many products that aren't libraries have no need to remain running after a bad file is encountered. If the only possible problem is "a crash reading an invalid address" and there is no way to write to an invalid address or change the flow of control, then there typically can't be a CVE ID. Typically, a simple and complete workaround for the crash problem is to not try to unzip the bad file again.
From: Gustavo Grieco <gustavo.grieco () gmail com> Date: Fri, 30 Oct 2015 09:38:47 -0300
Could you please comment directly about the likelihood of exploitability for code execution?
To be honest, i don't know. The patched code looks quite complex and i cannot discard any potential arbitrary write there.
We currently prefer not to assign CVE IDs when the available information is "a crash reading an invalid address" in combination with "cannot discard any potential arbitrary write." - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWOR/wAAoJEL54rhJi8gl5Y/MQAMu/aVQBoFhPCvqyvrG0ABiz K6kfDNA+d9mus1GqKju007FM7l3YEjvVfBTP/yQy1xfwBlWtgJHPK4Xc5/VDNo2z lqop/O85DB+dV2sswcR8C7lqplLwCS5RocT5nyi8wF2YadAFgWk/WZVX9dgpWQF7 wODx8HBTH2aLVOoNTGNZY4srRFACMFi6jycvrBZkbDfOvxeYU6sKZDU+ZxA8zU8X ULsDr6xqS+XRQBu2JExX6WyTQHRcS90Errti5k0GhghbPrcTB2eXGpDOFQ+AScAi KSbx7zV9ngBHNXPNuXoQ1WAeUUD5L1P69zMfy8asxBdLOQWTK0PrZNMKPxwbOD9R UqzbeztiBJ9uS6fnKGWeTyLH3+5vtvBSB+UA3NSaIayAN2GXJfGaKHLYeEDovAUr kuaN8gvya/y5cce0NtvUcz/Z5BiJEfE2CEaY24f/FJ8ZqXKEjEO0sIG6nNMUH8Zy 8d3HSsigsLesGpLdUFpD4kLxUjyMYkUew0CXVZ6STHX1wpcRUUksot9KocHybFXw KKoPSbMi27C2tgYIrFdJn4wHIU4hJFgqDQh1QjVRcq1H+6aNcdwxbLb+WQBSA0ze bzXG0r5Q0NW4AqFW/jaU29ACcylqnVsPilbbQ6hG/n5l4+gkAT0su7x75k+NPaI0 ezjjs0eDQnlnp00K7930 =xHYl -----END PGP SIGNATURE-----
Current thread:
- Pointer misuse unziping files with busybox Gustavo Grieco (Oct 25)
- Re: Pointer misuse unziping files with busybox Gustavo Grieco (Oct 26)
- Re: Pointer misuse unziping files with busybox cve-assign (Oct 28)
- Re: Pointer misuse unziping files with busybox Gustavo Grieco (Oct 30)
- Re: Re: Pointer misuse unziping files with busybox Rich Felker (Oct 30)
- Re: Pointer misuse unziping files with busybox cve-assign (Nov 03)