2007/8/17, Dmitry V. Levin <[EMAIL PROTECTED]>: > Hi, > > paxlib's safer_name_suffix() function uses alloca() to report prefix string > it is going to strip, and recent tar and cpio versions use this function > both in list and extract modes. > The problem is that length of this string (i.e. size passed to alloca) > is under tarball owner control. > As result, tar/cpio crashes if this string is sufficiently long. > > Fortunately, memcpy() call which follows alloca() call makes this stack > overflow a plain crash, so it does not look exploitable. > > Reproducer: > $ ulimit -s > 8192 > $ ./tarnull null.tar > $ bzip2 -9 null.tar > $ ls -log null.tar.bz2 > -rw-r--r-- 1 543 Aug 15 18:00 null.tar.bz2 > $ tar tf null.tar.bz2 > Segmentation fault
Hello. I have tested your reproducer and I've got segfault. I recompiled cpio 2.9 with your patch but I'm still getting segfault. Have I missed something? Regards Ladislav.
