malformed cab segfaults bsdtar #505

Open
kwrobot opened this Issue Apr 11, 2015 · 4 comments

Comments

Projects
None yet
4 participants
@kwrobot

kwrobot commented Apr 11, 2015

Original issue 397 created by Google Code user hanno@hboeck.de on 2015-02-03T03:55:02.000Z:

<b>What steps will reproduce the problem?</b>
1. bsdtar -xf segf.cab
2. segfault

<b>What version are you using?</b>
git head (e6c9668f3202215ddb71617b41c19b6f05acf008)

<b>On what operating system?</b>
Linux

<b>How did you build?  (cmake, configure, or pre-packaged binary)</b>
cmake

<b>What compiler or development environment (please include version)?</b>
gcc 4.9.2

<b>Please provide any additional information below.</b>
Found with american fuzzy lop

==20101== Invalid read of size 1
==20101==    at 0x411867: strip_absolute_path (in /mnt/ram/libarchive/plain/bin/bsdtar)
==20101==    by 0x41252A: edit_pathname (in /mnt/ram/libarchive/plain/bin/bsdtar)
==20101==    by 0x410A46: tar_mode_x (in /mnt/ram/libarchive/plain/bin/bsdtar)
==20101==    by 0x40EB13: main (in /mnt/ram/libarchive/plain/bin/bsdtar)
==20101==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

Looks like a null ptr. Will attach asan and valgrind output.

See attachment: segf.cab
See attachment: segf.cab.asan.txt
See attachment: segf.cab.valgrind.log

@kwrobot

This comment has been minimized.

Show comment
Hide comment
@kwrobot

kwrobot Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-07T07:29:44.000Z:

I've committed a change to bsdtar so it will skip entries for which the format handler is unable to parse a filename.

This makes bsdtar itself resistant to this issue, but it would be better to fix the underlying parsing issue in the RAR reader.

kwrobot commented Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-07T07:29:44.000Z:

I've committed a change to bsdtar so it will skip entries for which the format handler is unable to parse a filename.

This makes bsdtar itself resistant to this issue, but it would be better to fix the underlying parsing issue in the RAR reader.

@kientzle kientzle self-assigned this Jul 14, 2015

@kientzle kientzle modified the milestone: 3.2 Aug 1, 2015

@dosomder

This comment has been minimized.

Show comment
Hide comment
@dosomder

dosomder Mar 24, 2016

Contributor

Some header fields are not checked which could prevent this crash

reserved1: Reserved field; MUST be set to 0 (zero).
reserved2: Reserved field; MUST be set to 0 (zero).
reserved3: Reserved field; MUST be set to 0 (zero).
versionMinor: Specifies the minor cabinet file format version. This value MUST be set to 3 (three).
versionMajor: Specifies the major cabinet file format version. This value MUST be set to 1 (one).

Additionally

  • no error is returned if compression type is not valid
  • no check if coffCabStart is out of file

http://download.microsoft.com/download/4/D/A/4DA14F27-B4EF-4170-A6E6-5B1EF85B1BAA/[MS-CAB].pdf

The real problem though is that the filename in the cabinet is set to 0x97. This single character is not a valid utf8 character and therefore the conversion fails. A possibility would be to return something like "INVALID FILENAME" as filename if the original filename is not properly formatted.

Contributor

dosomder commented Mar 24, 2016

Some header fields are not checked which could prevent this crash

reserved1: Reserved field; MUST be set to 0 (zero).
reserved2: Reserved field; MUST be set to 0 (zero).
reserved3: Reserved field; MUST be set to 0 (zero).
versionMinor: Specifies the minor cabinet file format version. This value MUST be set to 3 (three).
versionMajor: Specifies the major cabinet file format version. This value MUST be set to 1 (one).

Additionally

  • no error is returned if compression type is not valid
  • no check if coffCabStart is out of file

http://download.microsoft.com/download/4/D/A/4DA14F27-B4EF-4170-A6E6-5B1EF85B1BAA/[MS-CAB].pdf

The real problem though is that the filename in the cabinet is set to 0x97. This single character is not a valid utf8 character and therefore the conversion fails. A possibility would be to return something like "INVALID FILENAME" as filename if the original filename is not properly formatted.

@kientzle

This comment has been minimized.

Show comment
Hide comment
@kientzle

kientzle Apr 3, 2016

Contributor

Deferring further work on this to 3.2.1.

Contributor

kientzle commented Apr 3, 2016

Deferring further work on this to 3.2.1.

@kientzle kientzle modified the milestones: 3.2.1, 3.2 Apr 3, 2016

@kientzle kientzle modified the milestones: 3.3, 3.2.1 Jun 20, 2016

@petterreinholdtsen

This comment has been minimized.

Show comment
Hide comment
@petterreinholdtsen

petterreinholdtsen Jul 8, 2016

According to https://security-tracker.debian.org/tracker/CVE-2015-8917 this is a security issue with ID CVE-2015-8917. I tested and it affect version 3.1.2 too.

According to https://security-tracker.debian.org/tracker/CVE-2015-8917 this is a security issue with ID CVE-2015-8917. I tested and it affect version 3.1.2 too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment