NULL dereference when decompressing specially crafted archives

Bug #1810241 reported by Daniel Axtens
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tar (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Hi,

Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version.

A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce:

$ xxd -r gnutar-crash.tar.txt gnutar-crash.tar
$ tar Oxf gnutar-crash.tar
tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr'
tar: Malformed extended header: missing length
Segmentation fault (core dumped)

I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced.

Regards,
Daniel

Tags: patch

CVE References

Revision history for this message
Daniel Axtens (daxtens) wrote :
Revision history for this message
Daniel Axtens (daxtens) wrote :
Revision history for this message
Daniel Axtens (daxtens) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Daniel, very nice.

Have you reported this issue upstream yet?

Thanks

Revision history for this message
Daniel Axtens (daxtens) wrote :

Hi Seth,

I've just learned how to navigate Savannah and reported it. I will let you know if/when they reply.

Regards,
Daniel

Revision history for this message
Daniel Axtens (daxtens) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Revision history for this message
Daniel Axtens (daxtens) wrote :

The tar maintainers have disclosed the issue via the commit, so that sounds fine to me.

information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "patch against git head" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Use CVE-2019-9923.

Thanks

Changed in tar (Ubuntu):
status: New → Triaged
Changed in tar (Ubuntu):
importance: Undecided → High
Revision history for this message
Jeffrey Hawkins (rtswguru) wrote :

This issue is shown as Open on Jammy. The CVE is applicable to 1.32 and prior versions of TAR. Jammy uses 1.34, so this status should be not affected or closed. This was fixed in Focal in 1.30+dfsg-7ubuntu0.20.04.1. Please update the CVE status on Jammy.

Revision history for this message
Jeffrey Hawkins (rtswguru) wrote :

Update to my comment, issue is applicable to versions prior to 1.32 of TAR. Be that as it may, Jammy is not affected.

Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks I have updated the status of this CVE in the Ubuntu CVE tracker.

Changed in tar (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.