On Fri, Aug 17, 2007 at 11:37:03AM +0200, Ladislav Michnovi?? wrote: > 2007/8/17, Dmitry V. Levin: > > Hi, > > > > paxlib's safer_name_suffix() function uses alloca() to report prefix string > > it is going to strip, and recent tar and cpio versions use this function > > both in list and extract modes. > > The problem is that length of this string (i.e. size passed to alloca) > > is under tarball owner control. > > As result, tar/cpio crashes if this string is sufficiently long. > > > > Fortunately, memcpy() call which follows alloca() call makes this stack > > overflow a plain crash, so it does not look exploitable. > > > > Reproducer: > > $ ulimit -s > > 8192 > > $ ./tarnull null.tar > > $ bzip2 -9 null.tar > > $ ls -log null.tar.bz2 > > -rw-r--r-- 1 543 Aug 15 18:00 null.tar.bz2 > > $ tar tf null.tar.bz2 > > Segmentation fault > > Hello. > > I have tested your reproducer and I've got segfault. I recompiled > cpio 2.9 with your patch but I'm still getting segfault. > Have I missed something?
How did you test cpio with reproducer for tar? -- ldv
pgpqRoXDDjk9P.pgp
Description: PGP signature
_______________________________________________ Bug-cpio mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-cpio
