Date: Fri, 19 Feb 2016 21:50:51 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory Message-ID: <bug-207362-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207362 Bug ID: 207362 Summary: Crafted gzip archive causes tar(1) to exhaust all your memory Product: Base System Version: 10.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: misc Assignee: freebsd-bugs@FreeBSD.org Reporter: fuz@fuz.su Created attachment 167205 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D167205&action= =3Dedit gzip quine, unpacks to itself The FreeBSD tar(1) program uses a heuristic to check if an archive file is compressed. If it is, it calls into an appropriate library to receive a decompressed stream. Then it applies the heuristic again to catch the case = of an archive that has been compressed multiple times. There is no limit to the number of recursive decompressions. Using a crafted gzip file (the attached file is a quine that unpacks to itself), one can get tar(1) to invoke an infinite chain of gzip compressors until all the memory on the machine running tar(1) has been exhausted or another resource limit kicks in. I see this behaviour as a bug and security problem. It can be used to perfo= rm denial-of-service attacks against machines that run FreeBSD and use tar(1) = to list the contents of untrusted archives. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207362-8>