Re: CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we do something about lesspipe? (+ a cpio bug to back up the argument)]

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > http://seclists.org/fulldisclosure/2014/Nov/74

> > Even grabbing something as seemingly innocuous as cpio, a short spin
> > with afl-fuzz (or, probably, anything else) will immediately yield
> > this:
> >
> > http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio
> >
> > It's a file with declared block length of 0xffffffff. That gets us
> > here, with the value populated to c_filesize (copyin.c, list_file()):
> >
> >    link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
> >    link_name[file_hdr->c_filesize] = '\0';
> >
> > ...where we end up allocating a zero-byte buffer and then promptly
> > writing out of bounds (just under the buffer on 32-bit systems or
> > somewhere above it on 64-bit).

> Could a CVE please be assigned to the above issue in cpio?

Use CVE-2014-9112.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUdgnBAAoJEKllVAevmvmsp80H/3Fh+1yfg7i8W9O9Y/ghfCAz
Bin+VrfprdyXE49ggXWFGu0/RapPaDu5SVZBlvpCYQhcA1/UFuAvI5etL1mjPYVi
XrM2pO4u80TW2GdDe24ChhGj7wmlWoUz6/VSc3Zk/kXTF6aD8tDG7vxkIkvvldrq
muFNoZBf8cZZTHzrr5uHs+8PIJ/XfKw87k504SbCdNrgaXSsrSa0D2L8u9nEfIW2
VZt0SiwGyScbtW0MYSUqRg8Zby4H+2XLtgM1jfqczakHey0Jri84JJ5J5QJxEMBG
dHV53iuCNTNjtF6vi8asT3ifpsvv29uNN53T5Rx2csYa5elozeshgu+mE0fUURE=
=nhR6
-----END PGP SIGNATURE-----