lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <553F69E8.5090102@gmail.com>
Date: Tue, 28 Apr 2015 14:07:20 +0300
From: Paris Zoumpouloglou <pariszoump@...il.com>
To: fulldisclosure@...lists.org
Cc: cve-assign@...re.org
Subject: [FD] libarchive - Out of bounds read using malformed cpio archive

== Background ==

libarchive is a library for manipulating different streaming archive
formats, including certain tar variants, several cpio formats, and both
BSD and GNU ar variants.

== Affected software ==

bsdtar

== Version ==

All tests were performed using commit
296efb3db188fa4bf7b0e7b5c61d404f9145f0ab

== Description ==

Initial fuzzing was performed using afl-fuzzer

Using a crafted tar file bsdtar can perform an out-of-bounds memory read
which will lead to a SEGFAULT. The issue exists when the executable
skips data in the archive. The amount of data to skip is defined in byte
offset [16-19] If ASLR is disabled, the issue can lead to high CPU load,
and potential CPU exhaustion in single-core hosts.

The issue turned out to be a problem with the cpio reader:  Libarchive
identifies the constructed file as a big-endian binary cpio format with
a very large (>2GB) size.  An overflow in parsing the size field caused
libarchive to treat this size as a negative value and lead to an attempt
to skip the file position forward by a negative number of bytes.

== PoC ==

Additional information and PoC archive can be found here
https://github.com/libarchive/libarchive/issues/502

== Solution ==

The issue was fixed in commit e6c9668f3202215ddb71617b41c19b6f05acf008.

== Timeline ==

2015-01-29 - Initial report
2015-02-02 - Response with proposed fix
2015-02-02 - Fix was confirmed to resolve the issue

== Credits ==

Reported by Paris Zoumpouloglou of Project Zero labs
(https://projectzero.gr)

-- 
Paris Zoumpouloglou
@pzmini0n

https://projectzero.gr


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ