A heap-based buffer overflow flaw was found in cpio's list_file() function. An attacker could provide a specially crafted archive that, when processed by cpio, would crash cpio, or potentially lead to arbitrary code execution.
A heap-based buffer overflow flaw was reported in cpio's list_file() function. Attempting to extract a malicious cpio archive could cause cpio to crash or, potentially, execute arbitrary code.
As noted in the original report, this issue could be trigger via other utilities, such as when running "less".
A patch is not yet available.
Created cpio tracking bugs for this issue:
Affects: fedora-all [bug 1167573]
CVE request: http://www.openwall.com/lists/oss-security/2014/11/25/2
MITRE assigned CVE-2014-9112 to this issue:
Upstream commits (all are needed):
There appear to be issues with the fix on i*86. As I wrote in the F20 update candidate on admin.fedoraproject.org:
Testing the i686 package on Fedora 20 with the PoC: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio With cpio-2.11-24.fc20 it actually does not segfault, but with cpio-2.11-28.fc20 it does, which is the opposite of what was supposed to happen.
Also, I've added the same patches that Fedora has for this update in the Mageia cpio package. Our bug is here:
As you can see, one of our QA members confirmed the vulnerability and fix on x86_64, but when I tested on i586, it segfaults both before and after the update. However, the package does have "make check" enabled, which passed when the package was built, so there may be something that was in the PoC that's missing from what has been added to the upstream testsuite in these patches.
David, thanks for catching this and letting us know! I have reported that
issue upstream .
The remaining issue does not seem to be security anymore, and, for correct
archives does not hurt (note that the tested cpio archive is broken
intentionally, so the segfault is not _so bad_ now). If there is no
disagreement, I would treat this as a separate issue/bug.
I've synced the upstream changes:
It's working fine with the PoC now.
cpio-2.11-33.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
cpio-2.11-28.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:2108 https://rhn.redhat.com/errata/RHSA-2015-2108.html