diff options
| author | Julian Andres Klode <julian.klode@canonical.com> | 2020-12-05 19:55:30 +0100 |
|---|---|---|
| committer | Julian Andres Klode <julian.klode@canonical.com> | 2020-12-09 17:30:43 +0100 |
| commit | df81895bce764dd02fbb4d67b92d28a730b5281f (patch) | |
| tree | 2b85bacae381c674077235d5dfde96e9cf55a1ed /test | |
| parent | 0444f9dd52c2bc7bec315f6f1ecad76a30713fa0 (diff) | |
CVE-2020-27350: tarfile: integer overflow: Limit tar items to 128 GiB
The integer overflow was detected by DonKult who added a check like this:
(std::numeric_limits<decltype(Itm.Size)>::max() - (2 * sizeof(Block)))
Which deals with the code as is, but also still is a fairly big limit,
and could become fragile if we change the code. Let's limit our file
sizes to 128 GiB, which should be sufficient for everyone.
Original comment by DonKult:
The code assumes that it can add sizeof(Block)-1 to the size of the item
later on, but if we are close to a 64bit overflow this is not possible.
Fixing this seems too complex compared to just ensuring there is enough
room left given that we will have a lot more problems the moment we will
be acting on files that large as if the item is that large, the (valid)
tar including it probably doesn't fit in 64bit either.
Diffstat (limited to 'test')
| -rwxr-xr-x | test/integration/test-cve-2020-27350 | 3 | ||||
| -rw-r--r-- | test/interactive-helper/createdeb-cve-2020-27350.cc | 4 |
2 files changed, 7 insertions, 0 deletions
diff --git a/test/integration/test-cve-2020-27350 b/test/integration/test-cve-2020-27350 index f4bb79bcb..a32bf95e5 100755 --- a/test/integration/test-cve-2020-27350 +++ b/test/integration/test-cve-2020-27350 @@ -20,3 +20,6 @@ testequal "E: Long name to large: 67108865 bytes > 1048576 bytes" runapt ${APTTE ${APTTESTHELPERSBINDIR}/createdeb-cve-2020-27350 long-control long-control.deb testequal "E: Control file too large: 67108865 > 67108864 bytes" runapt ${APTTESTHELPERSBINDIR}/extract-control long-control.deb control + +${APTTESTHELPERSBINDIR}/createdeb-cve-2020-27350 too-long-control too-long-control.deb +testequal "E: Tar member too large: $((128 * 1024 * 1024 * 1024 + 1)) > $((128 * 1024 * 1024 * 1024)) bytes" runapt ${APTTESTHELPERSBINDIR}/extract-control too-long-control.deb control diff --git a/test/interactive-helper/createdeb-cve-2020-27350.cc b/test/interactive-helper/createdeb-cve-2020-27350.cc index af049d4e8..8b9619469 100644 --- a/test/interactive-helper/createdeb-cve-2020-27350.cc +++ b/test/interactive-helper/createdeb-cve-2020-27350.cc @@ -307,6 +307,10 @@ int main(int argc, char *argv[]) { createdeb_bigtarfilelength(fd, '0'); } + else if (strcmp(mode, "too-long-control") == 0) + { + createdeb_bigtarfilelength(fd, '0', 128llu * 1024 * 1024 * 1024 + 1); + } else if (strcmp(mode, "test") == 0) { createdeb_test(fd); |