Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Nov 2014 12:14:57 -0500 (EST)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: cpio heap-based buffer overflow [was Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> http://seclists.org/fulldisclosure/2014/Nov/74

>> Even grabbing something as seemingly innocuous as cpio, a short spin
>> with afl-fuzz (or, probably, anything else) will immediately yield
>> this:
>>
>> http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio
>>
>> It's a file with declared block length of 0xffffffff. That gets us
>> here, with the value populated to c_filesize (copyin.c, list_file()):
>>
>>    link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
>>    link_name[file_hdr->c_filesize] = '\0';
>>
>> ...where we end up allocating a zero-byte buffer and then promptly
>> writing out of bounds (just under the buffer on 32-bit systems or
>> somewhere above it on 64-bit).

> Could a CVE please be assigned to the above issue in cpio?

Use CVE-2014-9112.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUdgnBAAoJEKllVAevmvmsp80H/3Fh+1yfg7i8W9O9Y/ghfCAz
Bin+VrfprdyXE49ggXWFGu0/RapPaDu5SVZBlvpCYQhcA1/UFuAvI5etL1mjPYVi
XrM2pO4u80TW2GdDe24ChhGj7wmlWoUz6/VSc3Zk/kXTF6aD8tDG7vxkIkvvldrq
muFNoZBf8cZZTHzrr5uHs+8PIJ/XfKw87k504SbCdNrgaXSsrSa0D2L8u9nEfIW2
VZt0SiwGyScbtW0MYSUqRg8Zby4H+2XLtgM1jfqczakHey0Jri84JJ5J5QJxEMBG
dHV53iuCNTNjtF6vi8asT3ifpsvv29uNN53T5Rx2csYa5elozeshgu+mE0fUURE=
=nhR6
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ