NULL dereference when decompressing specially crafted archives
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tar (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Hi,
Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version.
A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce:
$ xxd -r gnutar-
$ tar Oxf gnutar-crash.tar
tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr'
tar: Malformed extended header: missing length
Segmentation fault (core dumped)
I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced.
Regards,
Daniel
CVE References
information type: | Private Security → Public Security |
Changed in tar (Ubuntu): | |
status: | New → Triaged |
Changed in tar (Ubuntu): | |
importance: | Undecided → High |
Hello Daniel, very nice.
Have you reported this issue upstream yet?
Thanks