Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-3810: SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation (CVE-2020-3810) (dceb1e49) · Commits · APT Developers / apt

Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.

CVE
#debian#dos#c++#rce#amd#auth

Commit dceb1e49 authored May 12, 2020 by Julian Andres Klode's avatar

Browse files

SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation (CVE-2020-3810)

When normalizing ar member names by removing trailing whitespace and slashes, an out-out-bound read can be caused if the ar member name consists only of such characters, because the code did not stop at 0, but would wrap around and continue reading from the stack, without any limit.

Add a check to abort if we reached the first character in the name, effectively rejecting the use of names consisting just of slashes and spaces.

Furthermore, certain error cases in arfile.cc and extracttar.cc have included member names in the output that were not checked at all and might hence not be nul terminated, leading to further out of bound reads.

Fixes Debian/apt#111 LP: #1878177

  • Changes 3

@@ -92,7 +92,7 @@ bool ARArchive::LoadHeaders()

StrToNum(Head.Size,Memb->Size,sizeof(Head.Size)) == false)

{

delete Memb;

return _error->Error(_(“Invalid archive member header %s”), Head.Name);

return _error->Error(_(“Invalid archive member header”));

}

// Check for an extra long name string

@@ -119,7 +119,14 @@ bool ARArchive::LoadHeaders()

else

{

unsigned int I = sizeof(Head.Name) - 1;

for (; Head.Name[I] == ' ' || Head.Name[I] == '/’; I–);

for (; Head.Name[I] == ' ' || Head.Name[I] == '/’; I–)

{

if (I == 0)

{

delete Memb;

return _error->Error(_(“Invalid archive member header”));

}

}

Memb->Name = std::string(Head.Name,I+1);

}

@@ -254,7 +254,7 @@ bool ExtractTar::Go(pkgDirStream &Stream)

default:

BadRecord = true;

_error->Warning(_(“Unknown TAR header type %u, member %s”),(unsigned)Tar->LinkFlag,Tar->Name);

_error->Warning(_(“Unknown TAR header type %u”), (unsigned)Tar->LinkFlag);

break;

}

#!/bin/sh

set -e

TESTDIR="$(readlink -f "$(dirname “$0”)")"

. “$TESTDIR/framework”

setupenvironment

configarchitecture “amd64”

setupaptarchive

# this used to crash, but it should treat it as an invalid member header

touch ' '

ar -q test.deb ' '

testsuccessequal “E: Invalid archive member header” ${BUILDDIRECTORY}/…/test/interactive-helper/testdeb test.deb

rm test.deb

touch ‘x’

ar -q test.deb ‘x’

testsuccessequal “E: This is not a valid DEB archive, missing ‘debian-binary’ member” ${BUILDDIRECTORY}/…/test/interactive-helper/testdeb test.deb

# <name><size> [ other fields] - name is not nul terminated here, it ends in .

msgmsg “Unterminated ar member name”

printf ‘!<arch>\0120123456789ABCDE.A123456789A.01234.01234.0123456.012345678.0.’ > test.deb

testsuccessequal “E: Invalid archive member header” ${BUILDDIRECTORY}/…/test/interactive-helper/testdeb test.deb

# unused source code for generating $tar below

maketar() {

cat > maketar.c << EOF

#include <stdio.h>

#include <string.h>

struct tar {

char Name[100];

char Mode[8];

char UserID[8];

char GroupID[8];

char Size[12];

char MTime[12];

char Checksum[8];

char LinkFlag;

char LinkName[100];

char MagicNumber[8];

char UserName[32];

char GroupName[32];

char Major[8];

char Minor[8];

};

int main(void)

{

union {

struct tar t;

char buf[512];

} t;

for (int i = 0; i < sizeof(t.buf); i++)

t.buf[i] = '7’;

memcpy(t.t.Name, "unterminatedName", 16);

memcpy(t.t.UserName, "userName", 8);

memcpy(t.t.GroupName, "thisIsAGroupNamethisIsAGroupName", 32);

t.t.LinkFlag = 'X’; // I AM BROKEN

memcpy(t.t.Size, "000000000000", sizeof(t.t.Size));

memset(t.t.Checksum,’ ',sizeof(t.t.Checksum));

unsigned long sum = 0;

for (int i = 0; i < sizeof(t.buf); i++)

sum += t.buf[i];

int written = sprintf(t.t.Checksum, "%lo", sum);

for (int i = written; i < sizeof(t.t.Checksum); i++)

t.t.Checksum[i] = ' ';

fwrite(t.buf, sizeof(t.buf), 1, stdout);

}

EOF

gcc maketar.c -o maketar -Wall

./maketar

}

tar="unterminatedName77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777700000000000077777777777773544 X777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777userName777777777777777777777777thisIsAGroupNamethisIsAGroupName777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777"

printf ‘%s’ “$tar” | gzip > control.tar.gz

cp control.tar.gz data.tar.gz

touch debian-binary

rm test.deb

ar -q test.deb debian-binary control.tar.gz data.tar.gz

testsuccessequal “W: Unknown TAR header type 88” ${BUILDDIRECTORY}/…/test/interactive-helper/testdeb test.deb

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907