Bug 172865 - CVE-2005-4268 cpio large filesize buffer overflow
Summary: CVE-2005-4268 cpio large filesize buffer overflow
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cpio
Version: 4.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Peter Vrabec
QA Contact: Brock Organ
Whiteboard: impact=low,public=20051107,reported=2...
Keywords: Security
Depends On:
Blocks: 183224
TreeView+ depends on / blocked
Reported: 2005-11-10 18:14 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2007-05-01 17:14:01 UTC

Attachments (Terms of Use)
patch extracted from upstream (18.26 KB, patch)
2006-05-26 12:09 UTC, Peter Vrabec
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0245 normal SHIPPED_LIVE Low: cpio security and bug fix update 2007-05-01 17:13:59 UTC

Description Josh Bressers 2005-11-10 18:14:54 UTC
+++ This bug was initially created as a clone of Bug #172669 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922
Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
The latest update to cpio is being killed after a buffer overflow is detected.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
cpio is given a large hierarchy of files and started using "cpio -o --format=crc"

-- Additional comment from arjanv@redhat.com on 2005-11-10 09:03 EST --
      char ascii_header[112];
      sprintf (ascii_header,
               file_hdr->c_ino, file_hdr->c_mode, file_hdr->c_uid,
               file_hdr->c_gid, file_hdr->c_nlink, file_hdr->c_mtime,
             file_hdr->c_filesize, file_hdr->c_dev_maj, file_hdr->c_dev_min,
           file_hdr->c_rdev_maj, file_hdr->c_rdev_min, file_hdr->c_namesize,


cpio assumes the filesize is at most 8 digits in size... and that's not right.
If it's more, this buffer will indeed overflow....

this probably wants to use asprintf() or so

-- Additional comment from bressers@redhat.com on 2005-11-10 13:07 EST --

Please note that this is only a security issue on 64 bit platforms.

This issue should also affect RHEL2.1 and RHEL3

Comment 1 Peter Vrabec 2006-05-26 12:09:03 UTC
Created attachment 130020 [details]
patch extracted from upstream

This patch could fix also #183224, but it's necessary to rewrite
Than there will be 3 issues addressed:
cpio will be able to archive files <8GB in odc format.(no bz report for this)

Is it possible to do these changes? Everything is tested and works in FC-5. I'd
like to do it at once to avoid any other problem which come if only
writeOutHeaderBufferOverflow.patch is applied

Comment 3 Jay Turner 2006-08-25 16:35:58 UTC
QE ack for 4.5.

Comment 4 Peter Vrabec 2006-08-29 12:54:01 UTC
+ static char codetab[] = "0123456789ABCDEF";
Should have const in that line.

Comment 13 Red Hat Bugzilla 2007-05-01 17:14:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.