Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

malformed cab segfaults bsdtar #505

Open
kwrobot opened this issue Apr 11, 2015 · 5 comments

Comments

Projects
None yet
5 participants
@kwrobot
Copy link

commented Apr 11, 2015

Original issue 397 created by Google Code user hanno@hboeck.de on 2015-02-03T03:55:02.000Z:

<b>What steps will reproduce the problem?</b>
1. bsdtar -xf segf.cab
2. segfault

<b>What version are you using?</b>
git head (e6c9668f3202215ddb71617b41c19b6f05acf008)

<b>On what operating system?</b>
Linux

<b>How did you build?  (cmake, configure, or pre-packaged binary)</b>
cmake

<b>What compiler or development environment (please include version)?</b>
gcc 4.9.2

<b>Please provide any additional information below.</b>
Found with american fuzzy lop

==20101== Invalid read of size 1
==20101==    at 0x411867: strip_absolute_path (in /mnt/ram/libarchive/plain/bin/bsdtar)
==20101==    by 0x41252A: edit_pathname (in /mnt/ram/libarchive/plain/bin/bsdtar)
==20101==    by 0x410A46: tar_mode_x (in /mnt/ram/libarchive/plain/bin/bsdtar)
==20101==    by 0x40EB13: main (in /mnt/ram/libarchive/plain/bin/bsdtar)
==20101==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

Looks like a null ptr. Will attach asan and valgrind output.

See attachment: segf.cab
See attachment: segf.cab.asan.txt
See attachment: segf.cab.valgrind.log

@kwrobot

This comment has been minimized.

Copy link
Author

commented Apr 11, 2015

Comment #1 originally posted by kientzle on 2015-02-07T07:29:44.000Z:

I've committed a change to bsdtar so it will skip entries for which the format handler is unable to parse a filename.

This makes bsdtar itself resistant to this issue, but it would be better to fix the underlying parsing issue in the RAR reader.

@kientzle kientzle self-assigned this Jul 14, 2015

@kientzle kientzle modified the milestone: 3.2 Aug 1, 2015

@dosomder

This comment has been minimized.

Copy link
Contributor

commented Mar 24, 2016

Some header fields are not checked which could prevent this crash

reserved1: Reserved field; MUST be set to 0 (zero).
reserved2: Reserved field; MUST be set to 0 (zero).
reserved3: Reserved field; MUST be set to 0 (zero).
versionMinor: Specifies the minor cabinet file format version. This value MUST be set to 3 (three).
versionMajor: Specifies the major cabinet file format version. This value MUST be set to 1 (one).

Additionally

  • no error is returned if compression type is not valid
  • no check if coffCabStart is out of file

http://download.microsoft.com/download/4/D/A/4DA14F27-B4EF-4170-A6E6-5B1EF85B1BAA/[MS-CAB].pdf

The real problem though is that the filename in the cabinet is set to 0x97. This single character is not a valid utf8 character and therefore the conversion fails. A possibility would be to return something like "INVALID FILENAME" as filename if the original filename is not properly formatted.

@kientzle

This comment has been minimized.

Copy link
Contributor

commented Apr 3, 2016

Deferring further work on this to 3.2.1.

@kientzle kientzle modified the milestones: 3.2.1, 3.2 Apr 3, 2016

@kientzle kientzle modified the milestones: 3.3, 3.2.1 Jun 20, 2016

@petterreinholdtsen

This comment has been minimized.

Copy link

commented Jul 8, 2016

According to https://security-tracker.debian.org/tracker/CVE-2015-8917 this is a security issue with ID CVE-2015-8917. I tested and it affect version 3.1.2 too.

@mmatuska

This comment has been minimized.

Copy link
Member

commented May 16, 2019

@dosomder @petterreinholdtsen @kientzle this issue seems to be fixed, I cannot reproduce with the provided archive (without the protected tar of course)

@mmatuska mmatuska removed this from the 3.3 milestone May 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.