oss-sec mailing list archives
CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we do something about lesspipe? (+ a cpio bug to back up the argument)]
From: Murray McAllister <mmcallis () redhat com>
Date: Tue, 25 Nov 2014 16:34:21 +1100
On 11/23/2014 08:24 PM, Michal Zalewski wrote: ...
Even grabbing something as seemingly innocuous as cpio, a short spin with afl-fuzz (or, probably, anything else) will immediately yield this: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio It's a file with declared block length of 0xffffffff. That gets us here, with the value populated to c_filesize (copyin.c, list_file()): link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1); link_name[file_hdr->c_filesize] = '\0'; ...where we end up allocating a zero-byte buffer and then promptly writing out of bounds (just under the buffer on 32-bit systems or somewhere above it on 64-bit). While it's a single bug in cpio, I have no doubt that many of the
... Could a CVE please be assigned to the above issue in cpio? Cheers, -- Murray McAllister / Red Hat Product Security
Current thread:
- so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michal Zalewski (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Bernhard Hermann (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Lionel Debroux (Nov 23)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Michael Samuel (Nov 23)
- CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we do something about lesspipe? (+ a cpio bug to back up the argument)] Murray McAllister (Nov 24)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Alexander Cherepanov (Dec 11)
- Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) Hanno Böck (Nov 23)