Bug 172865 - CVE-2005-4268 cpio large filesize buffer overflow
CVE-2005-4268 cpio large filesize buffer overflow
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cpio (Show other bugs)
x86_64 Linux
medium Severity low
: ---
: ---
Assigned To: Peter Vrabec
Brock Organ
: Security
Depends On:
Blocks: 183224
  Show dependency treegraph
Reported: 2005-11-10 13:14 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2007-0245
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 13:14:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch extracted from upstream (18.26 KB, patch)
2006-05-26 08:09 EDT, Peter Vrabec
no flags Details | Diff

  None (edit)
Description Josh Bressers 2005-11-10 13:14:54 EST
+++ This bug was initially created as a clone of Bug #172669 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922
Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
The latest update to cpio is being killed after a buffer overflow is detected.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
cpio is given a large hierarchy of files and started using "cpio -o --format=crc"

-- Additional comment from arjanv@redhat.com on 2005-11-10 09:03 EST --
      char ascii_header[112];
      sprintf (ascii_header,
               file_hdr->c_ino, file_hdr->c_mode, file_hdr->c_uid,
               file_hdr->c_gid, file_hdr->c_nlink, file_hdr->c_mtime,
             file_hdr->c_filesize, file_hdr->c_dev_maj, file_hdr->c_dev_min,
           file_hdr->c_rdev_maj, file_hdr->c_rdev_min, file_hdr->c_namesize,


cpio assumes the filesize is at most 8 digits in size... and that's not right.
If it's more, this buffer will indeed overflow....

this probably wants to use asprintf() or so

-- Additional comment from bressers@redhat.com on 2005-11-10 13:07 EST --

Please note that this is only a security issue on 64 bit platforms.

This issue should also affect RHEL2.1 and RHEL3
Comment 1 Peter Vrabec 2006-05-26 08:09:03 EDT
Created attachment 130020 [details]
patch extracted from upstream

This patch could fix also #183224, but it's necessary to rewrite
Than there will be 3 issues addressed:
cpio will be able to archive files <8GB in odc format.(no bz report for this)

Is it possible to do these changes? Everything is tested and works in FC-5. I'd
like to do it at once to avoid any other problem which come if only
writeOutHeaderBufferOverflow.patch is applied
Comment 3 Jay Turner 2006-08-25 12:35:58 EDT
QE ack for 4.5.
Comment 4 Peter Vrabec 2006-08-29 08:54:01 EDT
+ static char codetab[] = "0123456789ABCDEF";
Should have const in that line.
Comment 13 Red Hat Bugzilla 2007-05-01 13:14:02 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.