NULL dereference when decompressing specially crafted archives

Bug #1810241 reported by Daniel Axtens on 2019-01-02
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tar (Ubuntu)
High
Unassigned

Bug Description

Hi,

Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version.

A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce:

$ xxd -r gnutar-crash.tar.txt gnutar-crash.tar
$ tar Oxf gnutar-crash.tar
tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr'
tar: Malformed extended header: missing length
Segmentation fault (core dumped)

I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced.

Regards,
Daniel

CVE References

Daniel Axtens (daxtens) wrote :
Daniel Axtens (daxtens) wrote :
Daniel Axtens (daxtens) wrote :
Seth Arnold (seth-arnold) wrote :

Hello Daniel, very nice.

Have you reported this issue upstream yet?

Thanks

Daniel Axtens (daxtens) wrote :

Hi Seth,

I've just learned how to navigate Savannah and reported it. I will let you know if/when they reply.

Regards,
Daniel

Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Daniel Axtens (daxtens) wrote :

The tar maintainers have disclosed the issue via the commit, so that sounds fine to me.

information type: Private Security → Public Security

The attachment "patch against git head" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Seth Arnold (seth-arnold) wrote :

Use CVE-2019-9923.

Thanks

Changed in tar (Ubuntu):
status: New → Triaged
Changed in tar (Ubuntu):
importance: Undecided → High
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments