oss-sec mailing list archives
Re: Pointer misuse unziping files with busybox
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Fri, 30 Oct 2015 09:38:47 -0300
2015-10-29 3:04 GMT-03:00 <cve-assign () mitre org>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44eUnziping a specially crafted zip file results in a computation of aninvalidpointer and a crash reading an invalid address.Could you please comment directly about the likelihood of exploitability for code execution?
To be honest, i don't know. The patched code looks quite complex and i cannot discard any potential arbitrary write there.
See the http://www.openwall.com/lists/oss-security/2015/10/11/5 post. We currently feel that a CVE assignment for a non-exploitable unzip crash on BusyBox may be unlikely, because BusyBox wouldn't realistically be used for deployment of a program that remains running to offer an unzipping service to multiple clients.
I felt this issue was interesting to post here give the large amount of embedded devices using busybox so i decided to post it here looking for some feedback. Maybe some of them are using it to unzip files provided from users? In any case, i can update later this thread if i got more precise information about the exploitability of this issue.
- -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWMbYWAAoJEL54rhJi8gl5KOIP/0glPnY2FhWwCDTKcVfjzfGX C0qdsZ7U75V9+ECFvd3VvsogMs/WFt+UaP+wGCkB2VM9WHXlH5k0tMlqQZxIb/fY Nixc54gGFxz3DI6Gm22mQNS2nz1nnjLHvdAfPsKorzb30h/UEOT2msdsBpo/ya8W Z9ELQ8nPmxgjeXw2jQ1lzi8Ng36GhZMUShqKq6RIJRcFDTrtLyeIipux7pKXABEg GKezwuTlQq0ek/ausiaD2I97GsrjobWm590cdVhrUcuhcSajgCgtyYLWVfCqUAhM dvHORPcD0StGedSWqRqVQULMlDdEWyay+icTibAFnuxw/IJan1o3KRNXwG3dPIjW AZs5iJdRZpCq3zaEu6gFRjz1TthBkkFWlOmjxMInHJgqZKVLZ/gsE6S2/V/EqFpX gEpmm68yjGAYWzAUwArVM9am1sz1Pso8XOrLbExC9kkc2UxDNpK4ANMxcFehGeKc /mjodcq7lYoZdtKRasPCGhSJyg4Pd1+fJvSpvcJCQR+TZtucnUeF68VdN+Co8po6 YM9bV9MtzORnAJF3vZWfkjvWanLhL3UdSuh7iY6sg6m+Ui0FscCFCcHccgwSM62k 59/04Qw1Z9xav6hq3Dd9KR6EoCpJwiZkfBqLG9+Qejcj8q+fp1Vgqea3iJJNpPqA Hwp1wqHbGbeg1vJhOBFk =VGYW -----END PGP SIGNATURE-----
Current thread:
- Pointer misuse unziping files with busybox Gustavo Grieco (Oct 25)
- Re: Pointer misuse unziping files with busybox Gustavo Grieco (Oct 26)
- Re: Pointer misuse unziping files with busybox cve-assign (Oct 28)
- Re: Pointer misuse unziping files with busybox Gustavo Grieco (Oct 30)
- Re: Re: Pointer misuse unziping files with busybox Rich Felker (Oct 30)
- Re: Pointer misuse unziping files with busybox cve-assign (Nov 03)