Re: username and groupname prone to overflowing

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: username and groupname prone to overflowing

From:	Paul Eggert
Subject:	Re: username and groupname prone to overflowing
Date:	Mon, 23 Dec 2024 14:33:51 -0800
User-agent:	Mozilla Thunderbird

On 2024-12-23 14:27, exploit dev wrote:

In decode_header(), assign_string_n() takes input from header.uname as
value and also as size_t.
[image: image.png]

I didn't look at the images, for what I hope are obvious securityreasons. If they contain important info please resend as text. (Ingeneral it's better to send text for this kind of email.)

If value and n are both controlled, the "l" variable is prone to
overflowing inside the xmalloc(l+1)
which will under-allocate p, and over-copy value into it.

I don't see how that can happen on any practical porting target of GNUTar. The last arg of assign_string_n is always small, so l + 1 cannotoverflow.

[Prev in Thread]

Current Thread

[Next in Thread]

username and groupname prone to overflowing, exploit dev, 2024/12/23
- Re: username and groupname prone to overflowing, exploit dev, 2024/12/23
  - Re: username and groupname prone to overflowing, Paul Eggert <=

Prev by Date: Re: username and groupname prone to overflowing
Next by Date: Re: tar extraction fails on a CIFS file system, due to a symlink
Previous by thread: Re: username and groupname prone to overflowing
Index(es):
- Date
- Thread