gnu/145010: cpio: buffer overflow in rmt client
Christian Weisgerber
naddy at FreeBSD.org
Wed Mar 24 19:00:12 UTC 2010
>Number: 145010
>Category: gnu
>Synopsis: cpio: buffer overflow in rmt client
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 24 19:00:11 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Christian Weisgerber
>Release: FreeBSD 7.3-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD lorvorc.mips.inka.de 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0: Sat Mar 20 13:36:54 CET 2010 naddy at lorvorc.mips.inka.de:/usr/obj/usr/src/sys/GENERIC amd64
This applies to all branches of FreeBSD.
>Description:
CVE-2010-0624
Heap-based buffer overflow in the rmt_read__ function in
lib/rtapelib.c in the rmt client functionality in GNU tar before
1.23 and GNU cpio before 2.11 allows remote rmt servers to cause
a denial of service (memory corruption) or possibly execute
arbitrary code by sending more data than was requested, related
to archive filenames that contain a : (colon) character.
Also see the original report:
http://www.agrs.tu-berlin.de/index.php?id=78327
>How-To-Repeat:
>Fix:
Index: contrib/cpio/lib/rtapelib.c
===================================================================
RCS file: /home/ncvs/src/contrib/cpio/lib/rtapelib.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 rtapelib.c
--- contrib/cpio/lib/rtapelib.c 1 Oct 2005 04:37:06 -0000 1.1.1.1
+++ contrib/cpio/lib/rtapelib.c 24 Mar 2010 18:55:27 -0000
@@ -570,7 +570,8 @@
sprintf (command_buffer, "R%lu\n", (unsigned long) length);
if (do_command (handle, command_buffer) == -1
- || (status = get_status (handle)) == SAFE_READ_ERROR)
+ || (status = get_status (handle)) == SAFE_READ_ERROR
+ || status > length)
return SAFE_READ_ERROR;
for (counter = 0; counter < status; counter += rlen, buffer += rlen)
@@ -706,6 +707,12 @@
|| (status = get_status (handle), status == -1))
return -1;
+ if (status > sizeof (struct mtop))
+ {
+ errno = EOVERFLOW;
+ return -1;
+ }
+
for (; status > 0; status -= counter, argument += counter)
{
counter = safe_read (READ_SIDE (handle), argument, status);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list