Bug 1167571 (CVE-2014-9112)
Summary: | CVE-2014-9112 cpio: heap-based buffer overflow flaw in list_file() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, fweimer, jrusnack, kdudka, ovasik, praiskup, slawomir |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A heap-based buffer overflow flaw was found in cpio's list_file() function. An attacker could provide a specially crafted archive that, when processed by cpio, would crash cpio, or potentially lead to arbitrary code execution.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-20 05:23:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1167573, 1195575, 1195576, 1195577, 1195578 | ||
Bug Blocks: | 1167574, 1210268 |
Description
Murray McAllister
2014-11-25 05:32:47 UTC
Created cpio tracking bugs for this issue: Affects: fedora-all [bug 1167573] MITRE assigned CVE-2014-9112 to this issue: http://www.openwall.com/lists/oss-security/2014/11/26/20 Upstream commits (all are needed): http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff6 http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=54d1c42a http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=58df4f1b There appear to be issues with the fix on i*86. As I wrote in the F20 update candidate on admin.fedoraproject.org: Testing the i686 package on Fedora 20 with the PoC: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio With cpio-2.11-24.fc20 it actually does not segfault, but with cpio-2.11-28.fc20 it does, which is the opposite of what was supposed to happen. Also, I've added the same patches that Fedora has for this update in the Mageia cpio package. Our bug is here: https://bugs.mageia.org/show_bug.cgi?id=14765 As you can see, one of our QA members confirmed the vulnerability and fix on x86_64, but when I tested on i586, it segfaults both before and after the update. However, the package does have "make check" enabled, which passed when the package was built, so there may be something that was in the PoC that's missing from what has been added to the upstream testsuite in these patches. David, thanks for catching this and letting us know! I have reported that issue upstream [1]. The remaining issue does not seem to be security anymore, and, for correct archives does not hurt (note that the tested cpio archive is broken intentionally, so the segfault is not _so bad_ now). If there is no disagreement, I would treat this as a separate issue/bug. [1] http://www.mail-archive.com/bug-cpio@gnu.org/msg00507.html Pavel Thanks Pavel! I've synced the upstream changes: http://svnweb.mageia.org/packages?view=revision&revision=802713 It's working fine with the PoC now. cpio-2.11-33.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. cpio-2.11-28.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2108 https://rhn.redhat.com/errata/RHSA-2015-2108.html |