Date: Tue, 25 Nov 2014 16:34:21 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: cpio heap-based buffer overflow [was Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)] On 11/23/2014 08:24 PM, Michal Zalewski wrote: ... > Even grabbing something as seemingly innocuous as cpio, a short spin > with afl-fuzz (or, probably, anything else) will immediately yield > this: > > http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio > > It's a file with declared block length of 0xffffffff. That gets us > here, with the value populated to c_filesize (copyin.c, list_file()): > > link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1); > link_name[file_hdr->c_filesize] = '\0'; > > ...where we end up allocating a zero-byte buffer and then promptly > writing out of bounds (just under the buffer on 32-bit systems or > somewhere above it on 64-bit). > > While it's a single bug in cpio, I have no doubt that many of the ... Could a CVE please be assigned to the above issue in cpio? Cheers, -- Murray McAllister / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.