[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

Mark Linimon  changed:

   What|Removed |Added

   Assignee|freebsd-bugs@FreeBSD.org|delp...@freebsd.org
 Status|New |Closed
 Resolution|--- |FIXED

--- Comment #8 from Mark Linimon  ---
Already committed by delphij.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

--- Comment #7 from commit-h...@freebsd.org ---
A commit references this bug:

Author: delphij
Date: Wed Feb 24 05:40:04 UTC 2016
New revision: 295961
URL: https://svnweb.freebsd.org/changeset/base/295961

Log:
  MFC r295914: MFV r295913:

  Partially apply upstream changeset 6e06b1c8 (kientzle).

  Limit filter recursion level to 25 (instead of infinite).  This fixes a
  potential crash issue discovered by Alexander Cherepanov.

  PR:   207362
  Reported by:  Robert Clausecker
  Obtained from:libarchive github project
  Approved by:  re (marius)

Changes:
_U  stable/10/
  stable/10/contrib/libarchive/libarchive/archive_read.c

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

--- Comment #6 from commit-h...@freebsd.org ---
A commit references this bug:

Author: delphij
Date: Tue Feb 23 08:12:39 UTC 2016
New revision: 295915
URL: https://svnweb.freebsd.org/changeset/base/295915

Log:
  Instant-MFC r295914: MFV r295913:

  Partially apply upstream changeset 6e06b1c8 (kientzle).

  Limit filter recursion level to 25 (instead of infinite).  This fixes a
  potential crash issue discovered by Alexander Cherepanov.

  PR:   207362
  Reported by:  Robert Clausecker
  Obtained from:libarchive github project
  Approved by:  so

Changes:
_U  stable/9/contrib/libarchive/
_U  stable/9/contrib/libarchive/libarchive/
  stable/9/contrib/libarchive/libarchive/archive_read.c

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

--- Comment #5 from commit-h...@freebsd.org ---
A commit references this bug:

Author: delphij
Date: Tue Feb 23 07:13:22 UTC 2016
New revision: 295914
URL: https://svnweb.freebsd.org/changeset/base/295914

Log:
  MFV r295913:

  Partially apply upstream changeset 6e06b1c8 (kientzle).

  Limit filter recursion level to 25 (instead of infinite).  This fixes a
  potential crash issue discovered by Alexander Cherepanov.

  PR:   207362
  Reported by:  Robert Clausecker
  Obtained from:libarchive github project

Changes:
_U  head/contrib/libarchive/
_U  head/contrib/libarchive/libarchive/
  head/contrib/libarchive/libarchive/archive_read.c

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

Jason Unovitch  changed:

   What|Removed |Added

 Status|Closed  |New
 CC||sect...@freebsd.org
 Resolution|FIXED   |---

--- Comment #4 from Jason Unovitch  ---
Actually I am going to reopen.  The last libarchive release was in 2013
(https://github.com/libarchive/libarchive/releases) so we will have to pull
fixes like this in.  It can probably be combined with the security fixes for
libarchive in bug 206386.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

Robert Clausecker  changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|New |Closed

--- Comment #3 from Robert Clausecker  ---
This has been fixed upstream:

   
https://github.com/libarchive/libarchive/commit/6e06b1c89dd0d16f74894eac4cfc1327a06ee4a0

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

--- Comment #2 from Robert Clausecker  ---
Issue #660 has been reported against the libarchive.

https://github.com/libarchive/libarchive/issues/660

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

Jason Unovitch  changed:

   What|Removed |Added

 CC||junovi...@freebsd.org

--- Comment #1 from Jason Unovitch  ---
Can you report this to the libarchive upstream as well?
https://github.com/libarchive/libarchive

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362

Bug ID: 207362
   Summary: Crafted gzip archive causes tar(1) to exhaust all your
memory
   Product: Base System
   Version: 10.2-RELEASE
  Hardware: Any
OS: Any
Status: New
  Severity: Affects Some People
  Priority: ---
 Component: misc
  Assignee: freebsd-bugs@FreeBSD.org
  Reporter: f...@fuz.su

Created attachment 167205
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167205=edit
gzip quine, unpacks to itself

The FreeBSD tar(1) program uses a heuristic to check if an archive file is
compressed. If it is, it calls into an appropriate library to receive a
decompressed stream. Then it applies the heuristic again to catch the case of
an archive that has been compressed multiple times. There is no limit to the
number of recursive decompressions.

Using a crafted gzip file (the attached file is a quine that unpacks to
itself), one can get tar(1) to invoke an infinite chain of gzip compressors
until all the memory on the machine running tar(1) has been exhausted or
another resource limit kicks in.

I see this behaviour as a bug and security problem. It can be used to perform
denial-of-service attacks against machines that run FreeBSD and use tar(1) to
list the contents of untrusted archives.

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"