Full Disclosure mailing list archives

By Date By Thread libarchive - Out of bounds read using malformed cpio archive From: Paris Zoumpouloglou <pariszoump () gmail com>

Date: Tue, 28 Apr 2015 14:07:20 +0300

== Background == libarchive is a library for manipulating different streaming archive formats, including certain tar variants, several cpio formats, and both BSD and GNU ar variants. == Affected software == bsdtar == Version == All tests were performed using commit 296efb3db188fa4bf7b0e7b5c61d404f9145f0ab == Description == Initial fuzzing was performed using afl-fuzzer Using a crafted tar file bsdtar can perform an out-of-bounds memory read which will lead to a SEGFAULT. The issue exists when the executable skips data in the archive. The amount of data to skip is defined in byte offset [16-19] If ASLR is disabled, the issue can lead to high CPU load, and potential CPU exhaustion in single-core hosts. The issue turned out to be a problem with the cpio reader: Libarchive identifies the constructed file as a big-endian binary cpio format with a very large (>2GB) size. An overflow in parsing the size field caused libarchive to treat this size as a negative value and lead to an attempt to skip the file position forward by a negative number of bytes. == PoC == Additional information and PoC archive can be found here https://github.com/libarchive/libarchive/issues/502 == Solution == The issue was fixed in commit e6c9668f3202215ddb71617b41c19b6f05acf008. == Timeline == 2015-01-29 - Initial report 2015-02-02 - Response with proposed fix 2015-02-02 - Fix was confirmed to resolve the issue == Credits == Reported by Paris Zoumpouloglou of Project Zero labs (https://projectzero.gr) -- Paris Zoumpouloglou @pzmini0n https://projectzero.gr _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: libarchive - Out of bounds read using malformed cpio archive Paris Zoumpouloglou (Apr 28)