Bug 229191 (CVE-2005-4268)

Summary: CVE-2005-4268 cpio large filesize buffer overflow
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Radek Brich <rbrich>
Status: CLOSED NEXTRELEASE QA Contact: Brock Organ <borgan>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: benl, kreilly, ovasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-26 15:22:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 568072    
Bug Blocks:    
Attachments:
Description Flags
patch fixing buffer overflow on 64bit systems for cpio-2.5 none

Description Mark J. Cox 2007-02-19 13:41:30 UTC 
Clone for rhel3/rhel2.1

+++ This bug was initially created as a clone of Bug #172669 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922
Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
The latest update to cpio is being killed after a buffer overflow is detected.


Version-Release number of selected component (if applicable):
cpio-2.6-8.FC4

How reproducible:
Always

Steps to Reproduce:
cpio is given a large hierarchy of files and started using "cpio -o --format=crc"
  


-- Additional comment from arjanv on 2005-11-10 09:03 EST --
      char ascii_header[112];
...
      sprintf (ascii_header,
              
"%6s%08lx%08lx%08lx%08lx%08lx%08lx%08lx%08lx%08lx%08lx%08lx%08lx%08lx",
               magic_string,
               file_hdr->c_ino, file_hdr->c_mode, file_hdr->c_uid,
               file_hdr->c_gid, file_hdr->c_nlink, file_hdr->c_mtime,
             file_hdr->c_filesize, file_hdr->c_dev_maj, file_hdr->c_dev_min,
           file_hdr->c_rdev_maj, file_hdr->c_rdev_min, file_hdr->c_namesize,
               file_hdr->c_chksum);

...

cpio assumes the filesize is at most 8 digits in size... and that's not right.
If it's more, this buffer will indeed overflow....

this probably wants to use asprintf() or so

-- Additional comment from bressers on 2005-11-10 13:07 EST --

Please note that this is only a security issue on 64 bit platforms.


This issue should also affect RHEL2.1 and RHEL3
Comment 1 Lukas Vrabel 2007-02-27 13:42:24 UTC 
Created attachment 148861 [details]
patch fixing buffer overflow on 64bit systems for cpio-2.5
Comment 10 errata-xmlrpc 2010-03-16 01:37:32 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0145 https://rhn.redhat.com/errata/RHSA-2010-0145.html