CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we do something about lesspipe? (+ a cpio bug to back up the argument)]

[Murray McAllister <mmcallis () redhat com>]

On 11/23/2014 08:24 PM, Michal Zalewski wrote:

...

> Even grabbing something as seemingly innocuous as cpio, a short spin
> with afl-fuzz (or, probably, anything else) will immediately yield
> this:
>
> http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio
>
> It's a file with declared block length of 0xffffffff. That gets us
> here, with the value populated to c_filesize (copyin.c, list_file()):
>
>    link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
>    link_name[file_hdr->c_filesize] = '\0';
>
> ...where we end up allocating a zero-byte buffer and then promptly
> writing out of bounds (just under the buffer on 32-bit systems or
> somewhere above it on 64-bit).
>
> While it's a single bug in cpio, I have no doubt that many of the

...

Could a CVE please be assigned to the above issue in cpio?

Cheers,

--
Murray McAllister / Red Hat Product Security