Ben Hutchings <[email protected]> writes: > [ Unknown signature status ] > On Thu, 2016-06-02 at 17:39 +1000, Brian May wrote: >> Hello, >> >> Do we care about vulerabilities that are specific to HFS+? >> >> http://www.talosintel.com/reports/TALOS-2016-0093/ >> CVE-2016-2334 > > If a program automatically detects file formats then every supported > file format is part of its attack surface. I don't think we can rule > out certain formats as too obscure. (See for example the recent > attacks on ImageMagick/GraphicsMagick using a format that most people > never heard of before. The fix there was to disable support for that > format by default.)
... except we are not talking about file formats here, but different file systems. e.g. the HFS+ looks like it is specific to stuff that is stored in the resource fork on HFS+. The guess the big question is if a specially crafted file can cause a crash on a system without HFS+ resource forks. I am not sure if it is possible to access HFS+ resource forks using the Linux filesystem driver or not, and if it is whether pk7zip supports this. >From the detailed description it says "During extraction from HFS+ image having compressed files with “com.apple.decmpfs” attribute and data stored in resource fork we land in above code." At a guess if you don't have the HFS+ resource fork to extract into then the problem code will never get called. Suspect UDF might be similar, if you don't have a UDF filesystem the vulnerable code will not get called. Will continue to check the code to make sure. -- Brian May <[email protected]>
