Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 699456 (CVE-2016-2037, CVE-2019-14866) - <app-arch/cpio-2.13: improper input validation when writing tar header fields leads to unexpect tar generation (CVE-2016-2037, CVE-2019-14866)
Summary: <app-arch/cpio-2.13: improper input validation when writing tar header fields...
Status: IN_PROGRESS
Alias: CVE-2016-2037, CVE-2019-14866
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://security-tracker.debian.org/t...
Whiteboard: B4 [upstream cve]
Keywords:
Depends on: 700020
Blocks:
  Show dependency tree
 
Reported: 2019-11-06 15:58 UTC by Lars Wendler (Polynomial-C)
Modified: 2020-06-23 23:52 UTC (History)
2 users (show)

See Also:
Package list:
app-arch/cpio-2.13
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) gentoo-dev 2019-11-06 15:58:10 UTC
Quote from Debian bug:


This command looks safe, and is a reasonable "backup" command:
find /home -type f | cpio -H tar -o > /var/backups/backup.tar

But if /home/evil/foo.data is maliciously set up (size is >8GiB) then the
tar file can be made to have arbitrary content, so a restore could
overwrite /etc/passwd or anything else under the restore tree, using any
permissions. A world writable /dev/sda would also be bad, as would many
other fun variants. Like user controlling /home/evil can inject
/home/friendly/.bashrc content too.

Patch at https://cement.retrofitta.se/tmp/cpio-tar.patch

Patch commit message:

Check for size overflow in tar header fields.

    This prevents surprising outputs being created, e.g. this cpio tar
    output with more than one file:

    tar cf suffix.tar AUTHORS
    dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
    echo suffix.tar | cpio -H tar -o | tar tvf -

    -rw-r--r-- 1000/1000       0 2019-08-30 16:40 suffix.tar
    -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-11-14 15:17:05 UTC
arm64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2019-11-14 15:42:07 UTC
x86 stable
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2019-11-14 16:08:40 UTC
Full stop on stabilization due to bug #700020
Comment 4 Sam James archtester gentoo-dev Security 2020-03-28 20:09:25 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #3)
> Full stop on stabilization due to bug #700020

No fix yet, unfortunately.

---
Other vulnerabilities that 2.13 fixed:

2) CVE-2016-2037

Description:
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file."
Comment 5 NATTkA bot gentoo-dev 2020-04-06 15:05:40 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 6 NATTkA bot gentoo-dev 2020-05-05 19:12:43 UTC
Unable to check for sanity:

> package masked: app-arch/cpio-2.13