[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE request: cpio heap-based buffer overflow [was Re: [oss-security] so, can we d
From:       cve-assign () mitre ! org
Date:       2014-11-26 17:14:57
Message-ID: 20141126171457.702D9B2E0C2 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> http://seclists.org/fulldisclosure/2014/Nov/74

>> Even grabbing something as seemingly innocuous as cpio, a short spin
>> with afl-fuzz (or, probably, anything else) will immediately yield
>> this:
>>
>> http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio
>>
>> It's a file with declared block length of 0xffffffff. That gets us
>> here, with the value populated to c_filesize (copyin.c, list_file()):
>>
>>    link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
>>    link_name[file_hdr->c_filesize] = '\0';
>>
>> ...where we end up allocating a zero-byte buffer and then promptly
>> writing out of bounds (just under the buffer on 32-bit systems or
>> somewhere above it on 64-bit).

> Could a CVE please be assigned to the above issue in cpio?

Use CVE-2014-9112.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUdgnBAAoJEKllVAevmvmsp80H/3Fh+1yfg7i8W9O9Y/ghfCAz
Bin+VrfprdyXE49ggXWFGu0/RapPaDu5SVZBlvpCYQhcA1/UFuAvI5etL1mjPYVi
XrM2pO4u80TW2GdDe24ChhGj7wmlWoUz6/VSc3Zk/kXTF6aD8tDG7vxkIkvvldrq
muFNoZBf8cZZTHzrr5uHs+8PIJ/XfKw87k504SbCdNrgaXSsrSa0D2L8u9nEfIW2
VZt0SiwGyScbtW0MYSUqRg8Zby4H+2XLtgM1jfqczakHey0Jri84JJ5J5QJxEMBG
dHV53iuCNTNjtF6vi8asT3ifpsvv29uNN53T5Rx2csYa5elozeshgu+mE0fUURE=
=nhR6
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]