Description:
xar is an easily extensible archive format.
The complete ASan output of the issue:
# xar -t -f $FILE
==7615==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f71a859ebd6 bp 0x7fffd8ace150 sp 0x7fffd8acde80 T0)
==7615==The signal is caused by a WRITE memory access.
==7615==Hint: address points to the zero page.
#0 0x7f71a859ebd5 in xar_unserialize /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/lib/archive.c:1767:27
#1 0x7f71a859ebd5 in xar_open /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/lib/archive.c:340
#2 0x5139ee in list /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/src/xar.c:1492:6
#3 0x5139ee in main /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/src/xar.c:2666
#4 0x7f71a76a2680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#5 0x41af38 in _init (/usr/bin/xar+0x41af38)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/app-arch/xar-1.6.1-r1/work/xar-1.6.1/lib/archive.c:1767:27 in xar_unserialize
==7615==ABORTING
Affected version:
1.6.1
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-11124
Reproducer:
https://github.com/asarubbo/poc/blob/master/00288-xar-nullptr-xar_unserialize
Timeline:
2017-06-17: bug discovered and reported to upstream
2017-06-28: blog post about the issue
2017-07-10: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
xar: NULL pointer dereference in xar_unserialize (archive.c)
Pingback: CVE-2017-11124 – 安百科技