Date: Tue, 25 Nov 2014 16:34:21 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: cpio heap-based buffer overflow [was Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)] On 11/23/2014 08:24 PM, Michal Zalewski wrote: ... > Even grabbing something as seemingly innocuous as cpio, a short spin > with afl-fuzz (or, probably, anything else) will immediately yield > this: > > http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio > > It's a file with declared block length of 0xffffffff. That gets us > here, with the value populated to c_filesize (copyin.c, list_file()): > > link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1); > link_name[file_hdr->c_filesize] = '\0'; > > ...where we end up allocating a zero-byte buffer and then promptly > writing out of bounds (just under the buffer on 32-bit systems or > somewhere above it on 64-bit). > > While it's a single bug in cpio, I have no doubt that many of the ... Could a CVE please be assigned to the above issue in cpio? Cheers, -- Murray McAllister / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.