From naddy@mips.inka.de  Wed Mar 24 18:58:12 2010
Return-Path: <naddy@mips.inka.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D299C1065670
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Mar 2010 18:58:12 +0000 (UTC)
	(envelope-from naddy@mips.inka.de)
Received: from mail-in-05.arcor-online.net (mail-in-05.arcor-online.net [151.189.21.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 5B85B8FC40
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Mar 2010 18:58:12 +0000 (UTC)
Received: from mail-in-16-z2.arcor-online.net (mail-in-16-z2.arcor-online.net [151.189.8.33])
	by mx.arcor.de (Postfix) with ESMTP id BB0A6332984
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Mar 2010 19:58:10 +0100 (CET)
Received: from mail-in-06.arcor-online.net (mail-in-06.arcor-online.net [151.189.21.46])
	by mail-in-16-z2.arcor-online.net (Postfix) with ESMTP id A8174254E10
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Mar 2010 19:58:10 +0100 (CET)
Received: from lorvorc.mips.inka.de (dslb-094-217-097-153.pools.arcor-ip.net [94.217.97.153])
	by mail-in-06.arcor-online.net (Postfix) with ESMTPS id 6E25F39A6B4
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Mar 2010 19:58:10 +0100 (CET)
Received: from lorvorc.mips.inka.de (localhost [127.0.0.1])
	by lorvorc.mips.inka.de (8.14.4/8.14.3) with ESMTP id o2OIw9co078247
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Mar 2010 19:58:10 +0100 (CET)
	(envelope-from naddy@lorvorc.mips.inka.de)
Received: (from naddy@localhost)
	by lorvorc.mips.inka.de (8.14.4/8.14.4/Submit) id o2OIw9D9078246;
	Wed, 24 Mar 2010 19:58:09 +0100 (CET)
	(envelope-from naddy)
Message-Id: <201003241858.o2OIw9D9078246@lorvorc.mips.inka.de>
Date: Wed, 24 Mar 2010 19:58:09 +0100 (CET)
From: Christian Weisgerber <naddy@freebsd.org>
Reply-To: Christian Weisgerber <naddy@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: cpio: buffer overflow in rmt client
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         145010
>Category:       gnu
>Synopsis:       cpio: buffer overflow in rmt client
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 24 19:00:11 UTC 2010
>Closed-Date:    Thu Mar 25 20:08:29 UTC 2010
>Last-Modified:  Thu Mar 25 20:10:13 UTC 2010
>Originator:     Christian Weisgerber
>Release:        FreeBSD 7.3-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD lorvorc.mips.inka.de 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0: Sat Mar 20 13:36:54 CET 2010 naddy@lorvorc.mips.inka.de:/usr/obj/usr/src/sys/GENERIC amd64

This applies to all branches of FreeBSD.

>Description:

CVE-2010-0624
  Heap-based buffer overflow in the rmt_read__ function in
  lib/rtapelib.c in the rmt client functionality in GNU tar before
  1.23 and GNU cpio before 2.11 allows remote rmt servers to cause
  a denial of service (memory corruption) or possibly execute
  arbitrary code by sending more data than was requested, related
  to archive filenames that contain a : (colon) character.

Also see the original report:
http://www.agrs.tu-berlin.de/index.php?id=78327

>How-To-Repeat:

>Fix:

Index: contrib/cpio/lib/rtapelib.c
===================================================================
RCS file: /home/ncvs/src/contrib/cpio/lib/rtapelib.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 rtapelib.c
--- contrib/cpio/lib/rtapelib.c	1 Oct 2005 04:37:06 -0000	1.1.1.1
+++ contrib/cpio/lib/rtapelib.c	24 Mar 2010 18:55:27 -0000
@@ -570,7 +570,8 @@
 
   sprintf (command_buffer, "R%lu\n", (unsigned long) length);
   if (do_command (handle, command_buffer) == -1
-      || (status = get_status (handle)) == SAFE_READ_ERROR)
+      || (status = get_status (handle)) == SAFE_READ_ERROR
+      || status > length)
     return SAFE_READ_ERROR;
 
   for (counter = 0; counter < status; counter += rlen, buffer += rlen)
@@ -706,6 +707,12 @@
 	    || (status = get_status (handle), status == -1))
 	  return -1;
 
+	if (status > sizeof (struct mtop))
+	  {
+	    errno = EOVERFLOW;
+	    return -1;
+	  }
+	
 	for (; status > 0; status -= counter, argument += counter)
 	  {
 	    counter = safe_read (READ_SIDE (handle), argument, status);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->secteam 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Wed Mar 24 19:23:25 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145010 
State-Changed-From-To: open->closed 
State-Changed-By: delphij 
State-Changed-When: Thu Mar 25 20:07:49 UTC 2010 
State-Changed-Why:  
A minimized patch applied against -HEAD and {6,7,8}-STABLE 
branches.  Thanks for your submission! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145010 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: gnu/145010: commit references a PR
Date: Thu, 25 Mar 2010 20:03:06 +0000 (UTC)

 Author: delphij
 Date: Thu Mar 25 20:02:54 2010
 New Revision: 205654
 URL: http://svn.freebsd.org/changeset/base/205654
 
 Log:
   The rmt client in GNU cpio could have a heap overflow when a malicious
   remote tape service returns deliberately crafted packets containing
   more data than requested.
   
   Fix this by checking the returned amount of data and bail out when it
   is more than what we requested.
   
   PR:		gnu/145010
   Submitted by:	naddy
   Reviewed by:	imp
   MFC after:	immediately
   Security:	CVE-2010-0624
 
 Modified:
   head/contrib/cpio/lib/rtapelib.c
 
 Modified: head/contrib/cpio/lib/rtapelib.c
 ==============================================================================
 --- head/contrib/cpio/lib/rtapelib.c	Thu Mar 25 17:51:05 2010	(r205653)
 +++ head/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:02:54 2010	(r205654)
 @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si
  
    sprintf (command_buffer, "R%lu\n", (unsigned long) length);
    if (do_command (handle, command_buffer) == -1
 -      || (status = get_status (handle)) == SAFE_READ_ERROR)
 +      || (status = get_status (handle)) == SAFE_READ_ERROR
 +      || status > length)
      return SAFE_READ_ERROR;
  
    for (counter = 0; counter < status; counter += rlen, buffer += rlen)
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: gnu/145010: commit references a PR
Date: Thu, 25 Mar 2010 20:07:44 +0000 (UTC)

 Author: delphij
 Date: Thu Mar 25 20:07:30 2010
 New Revision: 205655
 URL: http://svn.freebsd.org/changeset/base/205655
 
 Log:
   MFC r205654:
   
   The rmt client in GNU cpio could have a heap overflow when a malicious
   remote tape service returns deliberately crafted packets containing
   more data than requested.
   
   Fix this by checking the returned amount of data and bail out when it
   is more than what we requested.
   
   PR:		gnu/145010
   Submitted by:	naddy
   Reviewed by:	imp
   Security:	CVE-2010-0624
 
 Modified:
   stable/8/contrib/cpio/lib/rtapelib.c
 Directory Properties:
   stable/8/contrib/cpio/   (props changed)
 
 Changes in other areas also in this revision:
 Modified:
   stable/6/contrib/cpio/lib/rtapelib.c
   stable/7/contrib/cpio/lib/rtapelib.c
 Directory Properties:
   stable/6/contrib/cpio/   (props changed)
   stable/7/contrib/cpio/   (props changed)
 
 Modified: stable/8/contrib/cpio/lib/rtapelib.c
 ==============================================================================
 --- stable/8/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:02:54 2010	(r205654)
 +++ stable/8/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:07:30 2010	(r205655)
 @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si
  
    sprintf (command_buffer, "R%lu\n", (unsigned long) length);
    if (do_command (handle, command_buffer) == -1
 -      || (status = get_status (handle)) == SAFE_READ_ERROR)
 +      || (status = get_status (handle)) == SAFE_READ_ERROR
 +      || status > length)
      return SAFE_READ_ERROR;
  
    for (counter = 0; counter < status; counter += rlen, buffer += rlen)
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: gnu/145010: commit references a PR
Date: Thu, 25 Mar 2010 20:08:04 +0000 (UTC)

 Author: delphij
 Date: Thu Mar 25 20:07:30 2010
 New Revision: 205655
 URL: http://svn.freebsd.org/changeset/base/205655
 
 Log:
   MFC r205654:
   
   The rmt client in GNU cpio could have a heap overflow when a malicious
   remote tape service returns deliberately crafted packets containing
   more data than requested.
   
   Fix this by checking the returned amount of data and bail out when it
   is more than what we requested.
   
   PR:		gnu/145010
   Submitted by:	naddy
   Reviewed by:	imp
   Security:	CVE-2010-0624
 
 Modified:
   stable/7/contrib/cpio/lib/rtapelib.c
 Directory Properties:
   stable/7/contrib/cpio/   (props changed)
 
 Changes in other areas also in this revision:
 Modified:
   stable/6/contrib/cpio/lib/rtapelib.c
   stable/8/contrib/cpio/lib/rtapelib.c
 Directory Properties:
   stable/6/contrib/cpio/   (props changed)
   stable/8/contrib/cpio/   (props changed)
 
 Modified: stable/7/contrib/cpio/lib/rtapelib.c
 ==============================================================================
 --- stable/7/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:02:54 2010	(r205654)
 +++ stable/7/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:07:30 2010	(r205655)
 @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si
  
    sprintf (command_buffer, "R%lu\n", (unsigned long) length);
    if (do_command (handle, command_buffer) == -1
 -      || (status = get_status (handle)) == SAFE_READ_ERROR)
 +      || (status = get_status (handle)) == SAFE_READ_ERROR
 +      || status > length)
      return SAFE_READ_ERROR;
  
    for (counter = 0; counter < status; counter += rlen, buffer += rlen)
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: gnu/145010: commit references a PR
Date: Thu, 25 Mar 2010 20:08:14 +0000 (UTC)

 Author: delphij
 Date: Thu Mar 25 20:07:30 2010
 New Revision: 205655
 URL: http://svn.freebsd.org/changeset/base/205655
 
 Log:
   MFC r205654:
   
   The rmt client in GNU cpio could have a heap overflow when a malicious
   remote tape service returns deliberately crafted packets containing
   more data than requested.
   
   Fix this by checking the returned amount of data and bail out when it
   is more than what we requested.
   
   PR:		gnu/145010
   Submitted by:	naddy
   Reviewed by:	imp
   Security:	CVE-2010-0624
 
 Modified:
   stable/6/contrib/cpio/lib/rtapelib.c
 Directory Properties:
   stable/6/contrib/cpio/   (props changed)
 
 Changes in other areas also in this revision:
 Modified:
   stable/7/contrib/cpio/lib/rtapelib.c
   stable/8/contrib/cpio/lib/rtapelib.c
 Directory Properties:
   stable/7/contrib/cpio/   (props changed)
   stable/8/contrib/cpio/   (props changed)
 
 Modified: stable/6/contrib/cpio/lib/rtapelib.c
 ==============================================================================
 --- stable/6/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:02:54 2010	(r205654)
 +++ stable/6/contrib/cpio/lib/rtapelib.c	Thu Mar 25 20:07:30 2010	(r205655)
 @@ -570,7 +570,8 @@ rmt_read__ (int handle, char *buffer, si
  
    sprintf (command_buffer, "R%lu\n", (unsigned long) length);
    if (do_command (handle, command_buffer) == -1
 -      || (status = get_status (handle)) == SAFE_READ_ERROR)
 +      || (status = get_status (handle)) == SAFE_READ_ERROR
 +      || status > length)
      return SAFE_READ_ERROR;
  
    for (counter = 0; counter < status; counter += rlen, buffer += rlen)
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
