Bug 207362 - Crafted gzip archive causes tar(1) to exhaust all your memory
Summary: Crafted gzip archive causes tar(1) to exhaust all your memory
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: 10.2-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-19 21:50 UTC by Robert Clausecker
Modified: 2017-12-17 07:09 UTC (History)
5 users (show)

See Also:


Attachments
gzip quine, unpacks to itself (250 bytes, application/gzip)
2016-02-19 21:50 UTC, Robert Clausecker
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Clausecker 2016-02-19 21:50:51 UTC
Created attachment 167205 [details]
gzip quine, unpacks to itself

The FreeBSD tar(1) program uses a heuristic to check if an archive file is compressed. If it is, it calls into an appropriate library to receive a decompressed stream. Then it applies the heuristic again to catch the case of an archive that has been compressed multiple times. There is no limit to the number of recursive decompressions.

Using a crafted gzip file (the attached file is a quine that unpacks to itself), one can get tar(1) to invoke an infinite chain of gzip compressors until all the memory on the machine running tar(1) has been exhausted or another resource limit kicks in.

I see this behaviour as a bug and security problem. It can be used to perform denial-of-service attacks against machines that run FreeBSD and use tar(1) to list the contents of untrusted archives.
Comment 1 Jason Unovitch freebsd_committer 2016-02-21 14:19:44 UTC
Can you report this to the libarchive upstream as well?
https://github.com/libarchive/libarchive
Comment 2 Robert Clausecker 2016-02-21 16:19:53 UTC
Issue #660 has been reported against the libarchive.

    https://github.com/libarchive/libarchive/issues/660
Comment 3 Robert Clausecker 2016-02-21 16:41:28 UTC
This has been fixed upstream:

    https://github.com/libarchive/libarchive/commit/6e06b1c89dd0d16f74894eac4cfc1327a06ee4a0
Comment 4 Jason Unovitch freebsd_committer 2016-02-21 16:46:24 UTC
Actually I am going to reopen.  The last libarchive release was in 2013 (https://github.com/libarchive/libarchive/releases) so we will have to pull fixes like this in.  It can probably be combined with the security fixes for libarchive in bug 206386.
Comment 5 commit-hook freebsd_committer 2016-02-23 07:14:16 UTC
A commit references this bug:

Author: delphij
Date: Tue Feb 23 07:13:22 UTC 2016
New revision: 295914
URL: https://svnweb.freebsd.org/changeset/base/295914

Log:
  MFV r295913:

  Partially apply upstream changeset 6e06b1c8 (kientzle).

  Limit filter recursion level to 25 (instead of infinite).  This fixes a
  potential crash issue discovered by Alexander Cherepanov.

  PR:		207362
  Reported by:	Robert Clausecker
  Obtained from:	libarchive github project

Changes:
_U  head/contrib/libarchive/
_U  head/contrib/libarchive/libarchive/
  head/contrib/libarchive/libarchive/archive_read.c
Comment 6 commit-hook freebsd_committer 2016-02-23 08:13:22 UTC
A commit references this bug:

Author: delphij
Date: Tue Feb 23 08:12:39 UTC 2016
New revision: 295915
URL: https://svnweb.freebsd.org/changeset/base/295915

Log:
  Instant-MFC r295914: MFV r295913:

  Partially apply upstream changeset 6e06b1c8 (kientzle).

  Limit filter recursion level to 25 (instead of infinite).  This fixes a
  potential crash issue discovered by Alexander Cherepanov.

  PR:		207362
  Reported by:	Robert Clausecker
  Obtained from:	libarchive github project
  Approved by:	so

Changes:
_U  stable/9/contrib/libarchive/
_U  stable/9/contrib/libarchive/libarchive/
  stable/9/contrib/libarchive/libarchive/archive_read.c
Comment 7 commit-hook freebsd_committer 2016-02-24 05:40:18 UTC
A commit references this bug:

Author: delphij
Date: Wed Feb 24 05:40:04 UTC 2016
New revision: 295961
URL: https://svnweb.freebsd.org/changeset/base/295961

Log:
  MFC r295914: MFV r295913:

  Partially apply upstream changeset 6e06b1c8 (kientzle).

  Limit filter recursion level to 25 (instead of infinite).  This fixes a
  potential crash issue discovered by Alexander Cherepanov.

  PR:		207362
  Reported by:	Robert Clausecker
  Obtained from:	libarchive github project
  Approved by:	re (marius)

Changes:
_U  stable/10/
  stable/10/contrib/libarchive/libarchive/archive_read.c
Comment 8 Mark Linimon freebsd_committer freebsd_triage 2016-04-04 07:39:58 UTC
Already committed by delphij.
Comment 9 vali gholami 2017-12-17 07:05:32 UTC
MARKED AS SPAM
Comment 10 vali gholami 2017-12-17 07:09:51 UTC
MARKED AS SPAM