From owner-freebsd-bugs@FreeBSD.ORG  Wed Mar 24 19:00:12 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 433D81065676
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 24 Mar 2010 19:00:12 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id ED7B08FC0C
	for <freebsd-bugs@hub.freebsd.org>;
	Wed, 24 Mar 2010 19:00:11 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2OJ0Ba9074869
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 24 Mar 2010 19:00:11 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2OJ0B2d074865;
	Wed, 24 Mar 2010 19:00:11 GMT (envelope-from gnats)
Resent-Date: Wed, 24 Mar 2010 19:00:11 GMT
Resent-Message-Id: <201003241900.o2OJ0B2d074865@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Christian Weisgerber <naddy@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D299C1065670
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 24 Mar 2010 18:58:12 +0000 (UTC)
	(envelope-from naddy@mips.inka.de)
Received: from mail-in-05.arcor-online.net (mail-in-05.arcor-online.net
	[151.189.21.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 5B85B8FC40
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 24 Mar 2010 18:58:12 +0000 (UTC)
Received: from mail-in-16-z2.arcor-online.net (mail-in-16-z2.arcor-online.net
	[151.189.8.33]) by mx.arcor.de (Postfix) with ESMTP id BB0A6332984
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 24 Mar 2010 19:58:10 +0100 (CET)
Received: from mail-in-06.arcor-online.net (mail-in-06.arcor-online.net
	[151.189.21.46])
	by mail-in-16-z2.arcor-online.net (Postfix) with ESMTP id A8174254E10
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 24 Mar 2010 19:58:10 +0100 (CET)
Received: from lorvorc.mips.inka.de (dslb-094-217-097-153.pools.arcor-ip.net
	[94.217.97.153])
	by mail-in-06.arcor-online.net (Postfix) with ESMTPS id 6E25F39A6B4
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 24 Mar 2010 19:58:10 +0100 (CET)
Received: from lorvorc.mips.inka.de (localhost [127.0.0.1])
	by lorvorc.mips.inka.de (8.14.4/8.14.3) with ESMTP id o2OIw9co078247
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed, 24 Mar 2010 19:58:10 +0100 (CET)
	(envelope-from naddy@lorvorc.mips.inka.de)
Received: (from naddy@localhost)
	by lorvorc.mips.inka.de (8.14.4/8.14.4/Submit) id o2OIw9D9078246;
	Wed, 24 Mar 2010 19:58:09 +0100 (CET) (envelope-from naddy)
Message-Id: <201003241858.o2OIw9D9078246@lorvorc.mips.inka.de>
Date: Wed, 24 Mar 2010 19:58:09 +0100 (CET)
From: Christian Weisgerber <naddy@FreeBSD.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: gnu/145010: cpio: buffer overflow in rmt client
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Christian Weisgerber <naddy@FreeBSD.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2010 19:00:12 -0000


>Number:         145010
>Category:       gnu
>Synopsis:       cpio: buffer overflow in rmt client
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 24 19:00:11 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Christian Weisgerber
>Release:        FreeBSD 7.3-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD lorvorc.mips.inka.de 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0: Sat Mar 20 13:36:54 CET 2010 naddy@lorvorc.mips.inka.de:/usr/obj/usr/src/sys/GENERIC amd64

This applies to all branches of FreeBSD.

>Description:

CVE-2010-0624
  Heap-based buffer overflow in the rmt_read__ function in
  lib/rtapelib.c in the rmt client functionality in GNU tar before
  1.23 and GNU cpio before 2.11 allows remote rmt servers to cause
  a denial of service (memory corruption) or possibly execute
  arbitrary code by sending more data than was requested, related
  to archive filenames that contain a : (colon) character.

Also see the original report:
http://www.agrs.tu-berlin.de/index.php?id=78327

>How-To-Repeat:

>Fix:

Index: contrib/cpio/lib/rtapelib.c
===================================================================
RCS file: /home/ncvs/src/contrib/cpio/lib/rtapelib.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 rtapelib.c
--- contrib/cpio/lib/rtapelib.c	1 Oct 2005 04:37:06 -0000	1.1.1.1
+++ contrib/cpio/lib/rtapelib.c	24 Mar 2010 18:55:27 -0000
@@ -570,7 +570,8 @@
 
   sprintf (command_buffer, "R%lu\n", (unsigned long) length);
   if (do_command (handle, command_buffer) == -1
-      || (status = get_status (handle)) == SAFE_READ_ERROR)
+      || (status = get_status (handle)) == SAFE_READ_ERROR
+      || status > length)
     return SAFE_READ_ERROR;
 
   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
@@ -706,6 +707,12 @@
 	    || (status = get_status (handle), status == -1))
 	  return -1;
 
+	if (status > sizeof (struct mtop))
+	  {
+	    errno = EOVERFLOW;
+	    return -1;
+	  }
+	
 	for (; status > 0; status -= counter, argument += counter)
 	  {
 	    counter = safe_read (READ_SIDE (handle), argument, status);
>Release-Note:
>Audit-Trail:
>Unformatted: