oss-sec mailing list archives
xar: NULL pointer dereference in xar_unserialize (archive.c)
From: "Agostino Sarubbo" <ago () gentoo org>
Date: Mon, 10 Jul 2017 09:11:48 +0000
Description: xar is an easily extensible archive format. The complete ASan output of the issue: # xar -t -f $FILE ==7615==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f71a859ebd6 bp 0x7fffd8ace150 sp 0x7fffd8acde80 T0) ==7615==The signal is caused by a WRITE memory access. ==7615==Hint: address points to the zero page. #0 0x7f71a859ebd5 in xar_unserialize /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/lib/archive.c:1767:27 #1 0x7f71a859ebd5 in xar_open /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/lib/archive.c:340 #2 0x5139ee in list /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/src/xar.c:1492:6 #3 0x5139ee in main /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/src/xar.c:2666 #4 0x7f71a76a2680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #5 0x41af38 in _init (/usr/bin/xar+0x41af38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/lib/archive.c:1767:27 in xar_unserialize ==7615==ABORTING Affected version: 1.6.1 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: CVE-2017-11124 Reproducer: https://github.com/asarubbo/poc/blob/master/00288-xar-nullptr-xar_unserialize Timeline: 2017-06-17: bug discovered and reported to upstream 2017-06-28: blog post about the issue 2017-07-10: CVE assigned Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/06/28/xar-null-pointer-dereference-in-xar_unserialize-archive-c/ -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- xar: NULL pointer dereference in xar_unserialize (archive.c) Agostino Sarubbo (Jul 10)