Bug 1167571 (CVE-2014-9112) - CVE-2014-9112 cpio: heap-based buffer overflow flaw in list_file()
Summary: CVE-2014-9112 cpio: heap-based buffer overflow flaw in list_file()
Alias: CVE-2014-9112
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1167573 1195575 1195576 1195577 1195578
Blocks: 1167574 1210268
TreeView+ depends on / blocked
Reported: 2014-11-25 05:32 UTC by Murray McAllister
Modified: 2021-02-17 05:58 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in cpio's list_file() function. An attacker could provide a specially crafted archive that, when processed by cpio, would crash cpio, or potentially lead to arbitrary code execution.
Clone Of:
Last Closed: 2015-11-20 05:23:54 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
GNU Savannah 43709 0 None None None Never
Red Hat Product Errata RHSA-2015:2108 0 normal SHIPPED_LIVE Moderate: cpio security and bug fix update 2015-11-19 09:10:50 UTC

Description Murray McAllister 2014-11-25 05:32:47 UTC
A heap-based buffer overflow flaw was reported in cpio's list_file() function. Attempting to extract a malicious cpio archive could cause cpio to crash or, potentially, execute arbitrary code.

As noted in the original report, this issue could be trigger via other utilities, such as when running "less".

A patch is not yet available.

Original report:


Comment 1 Murray McAllister 2014-11-25 05:36:39 UTC
Created cpio tracking bugs for this issue:

Affects: fedora-all [bug 1167573]

Comment 2 Murray McAllister 2014-11-25 05:36:56 UTC
CVE request: http://www.openwall.com/lists/oss-security/2014/11/25/2

Comment 4 Murray McAllister 2014-11-27 01:58:03 UTC
MITRE assigned CVE-2014-9112 to this issue:


Comment 9 David Walser 2014-12-10 18:42:46 UTC
There appear to be issues with the fix on i*86.  As I wrote in the F20 update candidate on admin.fedoraproject.org:
Testing the i686 package on Fedora 20 with the PoC: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio With cpio-2.11-24.fc20 it actually does not segfault, but with cpio-2.11-28.fc20 it does, which is the opposite of what was supposed to happen.

Also, I've added the same patches that Fedora has for this update in the Mageia cpio package.  Our bug is here:

As you can see, one of our QA members confirmed the vulnerability and fix on x86_64, but when I tested on i586, it segfaults both before and after the update.  However, the package does have "make check" enabled, which passed when the package was built, so there may be something that was in the PoC that's missing from what has been added to the upstream testsuite in these patches.

Comment 10 Pavel Raiskup 2014-12-11 07:40:51 UTC
David, thanks for catching this and letting us know!  I have reported that
issue upstream [1].

The remaining issue does not seem to be security anymore, and, for correct
archives does not hurt (note that the tested cpio archive is broken
intentionally, so the segfault is not _so bad_ now).  If there is no
disagreement, I would treat this as a separate issue/bug.

[1] http://www.mail-archive.com/bug-cpio@gnu.org/msg00507.html


Comment 11 David Walser 2014-12-11 22:55:49 UTC
Thanks Pavel!

I've synced the upstream changes:

It's working fine with the PoC now.

Comment 12 Fedora Update System 2014-12-18 06:06:24 UTC
cpio-2.11-33.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-01-06 06:09:38 UTC
cpio-2.11-28.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 errata-xmlrpc 2015-11-19 08:57:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2108 https://rhn.redhat.com/errata/RHSA-2015-2108.html

Note You need to log in before you can comment on or make changes to this bug.