Bugzilla – Bug 907456
VUL-0: CVE-2014-9112: cpio: heap-based buffer overflow flaw in list_file()
Last modified: 2016-02-17 21:18:46 UTC
CVE-2014-9112 A heap-based buffer overflow flaw was reported in cpio's list_file() function. Attempting to extract a malicious cpio archive could cause cpio to crash or, potentially, execute arbitrary code. As noted in the original report, this issue could be trigger via other utilities, such as when running "less". References: https://bugzilla.redhat.com/show_bug.cgi?id=1167571
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-12-12. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59828
Packages submitted. Reassigning to security-team.
This is an autogenerated message for OBS integration: This bug (907456) was mentioned in https://build.opensuse.org/request/show/263649 13.2+13.1+12.3 / cpio
openSUSE-SU-2014:1643-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 907456 CVE References: CVE-2014-9112 Sources used: openSUSE 13.2 (src): cpio-2.11-29.5.1 openSUSE 13.1 (src): cpio-2.11-25.4.1 openSUSE 12.3 (src): cpio-2.11-21.4.1
SUSE-SU-2014:1652-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 658010,907456 CVE References: CVE-2014-9112 Sources used: SUSE Linux Enterprise Server 12 (src): cpio-2.11-29.1 SUSE Linux Enterprise Desktop 12 (src): cpio-2.11-29.1
after update, ran the testcase and got the info: """ ## ------------------------ ## ## GNU cpio 2.9 test suite. ## ## ------------------------ ## 1: cpio version ok 2: basic functionality: copyin/copyout ok 3: symlink ok 4: symlink-bad-length FAILED (symlink-bad-length.at:38) 5: symlink-long ok 6: interdir FAILED (interdir.at:31) """ Is the issue was not fixed ? please check and verify it.
It is FIXED. The symlink-bad-length test is supposed to die on this "if": off_t n = file_hdr->c_filesize + 1; if (n == 0 || n > SIZE_MAX) { error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name); } else { link_name = xmalloc (n); [...] However, the test is meant for 32bit systems where SIZE_MAX is 4294967295 (2^32 - 1) The supplied filesize is 2^32 - 1, so n is 4294967296 (2^32). On 64bit systems the SIZE_MAX is 2^64 - 1, thus the condition isn't fulfilled, (4294967296 isn't bigger than 18446744073709551615) The execution takes the else-branch and tries to allocate the ridiculous amount of memory and fails with "memory exhausted" The interdir test apparently fails with or without the latest security patch.
(In reply to Vitezslav Cizek from comment #12) > It is FIXED. > > The symlink-bad-length test is supposed to die on this "if": > > off_t n = file_hdr->c_filesize + 1; > > if (n == 0 || n > SIZE_MAX) { > error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name); > } else { > link_name = xmalloc (n); > [...] > > However, the test is meant for 32bit systems where SIZE_MAX is 4294967295 > (2^32 - 1) > The supplied filesize is 2^32 - 1, so n is 4294967296 (2^32). > > On 64bit systems the SIZE_MAX is 2^64 - 1, thus the condition isn't > fulfilled, > (4294967296 isn't bigger than 18446744073709551615) > > The execution takes the else-branch and tries to allocate the ridiculous > amount of memory and fails with "memory exhausted" > > The interdir test apparently fails with or without the latest security patch. I see, thank you.
SUSE-SU-2014:1675-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 907456 CVE References: CVE-2014-9112 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): cpio-2.9-75.78.1 SUSE Linux Enterprise Server 11 SP3 (src): cpio-2.9-75.78.1 SUSE Linux Enterprise Desktop 11 SP3 (src): cpio-2.9-75.78.1
released