Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

malformed rar crashes bsdtar #504

Open
kwrobot opened this issue Apr 11, 2015 · 8 comments
Open

malformed rar crashes bsdtar #504

kwrobot opened this issue Apr 11, 2015 · 8 comments

Comments

@kwrobot
Copy link

kwrobot commented Apr 11, 2015

Original issue 396 created by Google Code user hanno@hboeck.de on 2015-02-03T03:44:10.000Z:

<b>What steps will reproduce the problem?</b>
1. run bsdtar -xf crash.rar
2. segfault

<b>What version are you using?</b>
git head (e6c9668f3202215ddb71617b41c19b6f05acf008)

<b>On what operating system?</b>
Linux

<b>How did you build?  (cmake, configure, or pre-packaged binary)</b>
cmake

<b>What compiler or development environment (please include version)?</b>
gcc 4.9.2

<b>Please provide any additional information below.</b>

Crash with malformed rar file, found with american fuzzy lop. I'll attach valgrind and address sanitizer output. Looks like a null ptr.

See attachment: crash.rar
See attachment: crash.rar.asan.txt
See attachment: crash.rar.valgrind.txt

@kwrobot
Copy link
Author

kwrobot commented Apr 11, 2015

Comment #1 originally posted by Google Code user tim@kientzle.com on 2015-02-07T06:33:13.000Z:

This is hitting a corner case in the RAR reader:  The reader decides the current header is a "split file in multivolume RAR" and returns a success code without actually filling in the entry.  I'm not sure whether this code (around lines 1540-1560) should return an error or should continue to read the next header.

@kwrobot
Copy link
Author

kwrobot commented Apr 11, 2015

Comment #2 originally posted by kientzle on 2015-02-07T07:29:13.000Z:

I've committed a change to bsdtar so it will skip entries for which the format handler is unable to parse a filename.

This makes bsdtar itself resistant to this issue, but it would be better to fix the underlying parsing issue in the RAR reader.

@kientzle kientzle modified the milestone: 3.2 Aug 1, 2015
@dosomder
Copy link
Contributor

The rar reader saves the filename of the entry and when the next entry has the same filename, it assumes this is a multivolume archive. Did I understand this correctly? https://github.com/libarchive/libarchive/blob/master/libarchive/archive_read_support_format_rar.c#L1546

In my opinion the filename only needs to be saved if the flag FHD_SPLIT_AFTER is set. If the next entry then has the flag FHD_SPLIT_BEFORE and the same filename, it's a multivolume. See also here: http://www.forensicswiki.org/wiki/RAR

The entries in crash.rar don't have these flags set.

@kientzle
Copy link
Contributor

Ah. That might explain it. A pull request would be greatly appreciated.

@kientzle
Copy link
Contributor

kientzle commented Apr 3, 2016

I believe the current fix is good enough for 3.2. I'll defer further work to 3.2.1.

@kientzle kientzle modified the milestones: 3.2.1, 3.2 Apr 3, 2016
@kientzle kientzle modified the milestones: 3.3, 3.2.1 Jun 20, 2016
@petterreinholdtsen
Copy link

According to https://security-tracker.debian.org/tracker/CVE-2015-8916 this is a security issue with ID CVE-2015-8916. I tested, and the crash happen with version 3.1.2 too.

@mmatuska
Copy link
Member

mmatuska commented May 16, 2019

@dosomder @petterreinholdtsen @kientzle this issue seems to be fixed, I cannot reproduce with the provided archive (without the protected tar of course)

@mmatuska mmatuska removed this from the 3.3 milestone May 16, 2019
@petterreinholdtsen
Copy link

b2e2abb is pointed to as the fix on https://security-tracker.debian.org/tracker/CVE-2015-8916 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants