Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Mar 2010 19:58:09 +0100 (CET)
From:      Christian Weisgerber <naddy@FreeBSD.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   gnu/145010: cpio: buffer overflow in rmt client
Message-ID:  <201003241858.o2OIw9D9078246@lorvorc.mips.inka.de>
Resent-Message-ID: <201003241900.o2OJ0B2d074865@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         145010
>Category:       gnu
>Synopsis:       cpio: buffer overflow in rmt client
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 24 19:00:11 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Christian Weisgerber
>Release:        FreeBSD 7.3-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD lorvorc.mips.inka.de 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0: Sat Mar 20 13:36:54 CET 2010 naddy@lorvorc.mips.inka.de:/usr/obj/usr/src/sys/GENERIC amd64

This applies to all branches of FreeBSD.

>Description:

CVE-2010-0624
  Heap-based buffer overflow in the rmt_read__ function in
  lib/rtapelib.c in the rmt client functionality in GNU tar before
  1.23 and GNU cpio before 2.11 allows remote rmt servers to cause
  a denial of service (memory corruption) or possibly execute
  arbitrary code by sending more data than was requested, related
  to archive filenames that contain a : (colon) character.

Also see the original report:
http://www.agrs.tu-berlin.de/index.php?id=78327

>How-To-Repeat:

>Fix:

Index: contrib/cpio/lib/rtapelib.c
===================================================================
RCS file: /home/ncvs/src/contrib/cpio/lib/rtapelib.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 rtapelib.c
--- contrib/cpio/lib/rtapelib.c	1 Oct 2005 04:37:06 -0000	1.1.1.1
+++ contrib/cpio/lib/rtapelib.c	24 Mar 2010 18:55:27 -0000
@@ -570,7 +570,8 @@
 
   sprintf (command_buffer, "R%lu\n", (unsigned long) length);
   if (do_command (handle, command_buffer) == -1
-      || (status = get_status (handle)) == SAFE_READ_ERROR)
+      || (status = get_status (handle)) == SAFE_READ_ERROR
+      || status > length)
     return SAFE_READ_ERROR;
 
   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
@@ -706,6 +707,12 @@
 	    || (status = get_status (handle), status == -1))
 	  return -1;
 
+	if (status > sizeof (struct mtop))
+	  {
+	    errno = EOVERFLOW;
+	    return -1;
+	  }
+	
 	for (; status > 0; status -= counter, argument += counter)
 	  {
 	    counter = safe_read (READ_SIDE (handle), argument, status);
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201003241858.o2OIw9D9078246>