[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

Fri Feb 19 21:50:51 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

            Bug ID: 207362
           Summary: Crafted gzip archive causes tar(1) to exhaust all your
                    memory
           Product: Base System
           Version: 10.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: misc
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: fuz at fuz.su

Created attachment 167205
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167205&action=edit
gzip quine, unpacks to itself

The FreeBSD tar(1) program uses a heuristic to check if an archive file is
compressed. If it is, it calls into an appropriate library to receive a
decompressed stream. Then it applies the heuristic again to catch the case of
an archive that has been compressed multiple times. There is no limit to the
number of recursive decompressions.

Using a crafted gzip file (the attached file is a quine that unpacks to
itself), one can get tar(1) to invoke an infinite chain of gzip compressors
until all the memory on the machine running tar(1) has been exhausted or
another resource limit kicks in.

I see this behaviour as a bug and security problem. It can be used to perform
denial-of-service attacks against machines that run FreeBSD and use tar(1) to
list the contents of untrusted archives.

-- 
You are receiving this mail because:
You are the assignee for the bug.