[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 Mark Linimonchanged: What|Removed |Added Assignee|freebsd-bugs@FreeBSD.org|delp...@freebsd.org Status|New |Closed Resolution|--- |FIXED --- Comment #8 from Mark Linimon --- Already committed by delphij. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 --- Comment #7 from commit-h...@freebsd.org --- A commit references this bug: Author: delphij Date: Wed Feb 24 05:40:04 UTC 2016 New revision: 295961 URL: https://svnweb.freebsd.org/changeset/base/295961 Log: MFC r295914: MFV r295913: Partially apply upstream changeset 6e06b1c8 (kientzle). Limit filter recursion level to 25 (instead of infinite). This fixes a potential crash issue discovered by Alexander Cherepanov. PR: 207362 Reported by: Robert Clausecker Obtained from:libarchive github project Approved by: re (marius) Changes: _U stable/10/ stable/10/contrib/libarchive/libarchive/archive_read.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 --- Comment #6 from commit-h...@freebsd.org --- A commit references this bug: Author: delphij Date: Tue Feb 23 08:12:39 UTC 2016 New revision: 295915 URL: https://svnweb.freebsd.org/changeset/base/295915 Log: Instant-MFC r295914: MFV r295913: Partially apply upstream changeset 6e06b1c8 (kientzle). Limit filter recursion level to 25 (instead of infinite). This fixes a potential crash issue discovered by Alexander Cherepanov. PR: 207362 Reported by: Robert Clausecker Obtained from:libarchive github project Approved by: so Changes: _U stable/9/contrib/libarchive/ _U stable/9/contrib/libarchive/libarchive/ stable/9/contrib/libarchive/libarchive/archive_read.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 --- Comment #5 from commit-h...@freebsd.org --- A commit references this bug: Author: delphij Date: Tue Feb 23 07:13:22 UTC 2016 New revision: 295914 URL: https://svnweb.freebsd.org/changeset/base/295914 Log: MFV r295913: Partially apply upstream changeset 6e06b1c8 (kientzle). Limit filter recursion level to 25 (instead of infinite). This fixes a potential crash issue discovered by Alexander Cherepanov. PR: 207362 Reported by: Robert Clausecker Obtained from:libarchive github project Changes: _U head/contrib/libarchive/ _U head/contrib/libarchive/libarchive/ head/contrib/libarchive/libarchive/archive_read.c -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 Jason Unovitchchanged: What|Removed |Added Status|Closed |New CC||sect...@freebsd.org Resolution|FIXED |--- --- Comment #4 from Jason Unovitch --- Actually I am going to reopen. The last libarchive release was in 2013 (https://github.com/libarchive/libarchive/releases) so we will have to pull fixes like this in. It can probably be combined with the security fixes for libarchive in bug 206386. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 Robert Clauseckerchanged: What|Removed |Added Resolution|--- |FIXED Status|New |Closed --- Comment #3 from Robert Clausecker --- This has been fixed upstream: https://github.com/libarchive/libarchive/commit/6e06b1c89dd0d16f74894eac4cfc1327a06ee4a0 -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 --- Comment #2 from Robert Clausecker--- Issue #660 has been reported against the libarchive. https://github.com/libarchive/libarchive/issues/660 -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 Jason Unovitchchanged: What|Removed |Added CC||junovi...@freebsd.org --- Comment #1 from Jason Unovitch --- Can you report this to the libarchive upstream as well? https://github.com/libarchive/libarchive -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 207362] Crafted gzip archive causes tar(1) to exhaust all your memory
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207362 Bug ID: 207362 Summary: Crafted gzip archive causes tar(1) to exhaust all your memory Product: Base System Version: 10.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: misc Assignee: freebsd-bugs@FreeBSD.org Reporter: f...@fuz.su Created attachment 167205 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167205=edit gzip quine, unpacks to itself The FreeBSD tar(1) program uses a heuristic to check if an archive file is compressed. If it is, it calls into an appropriate library to receive a decompressed stream. Then it applies the heuristic again to catch the case of an archive that has been compressed multiple times. There is no limit to the number of recursive decompressions. Using a crafted gzip file (the attached file is a quine that unpacks to itself), one can get tar(1) to invoke an infinite chain of gzip compressors until all the memory on the machine running tar(1) has been exhausted or another resource limit kicks in. I see this behaviour as a bug and security problem. It can be used to perform denial-of-service attacks against machines that run FreeBSD and use tar(1) to list the contents of untrusted archives. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"