[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-12-08 Thread Launchpad Bug Tracker
This bug was fixed in the package tar - 1.34+dfsg-1.2ubuntu2 --- tar (1.34+dfsg-1.2ubuntu2) noble; urgency=medium * SECURITY UPDATE: stack overflow via crafted xattr (LP: #2029464) - debian/patches/CVE-2023-39804.patch: allocate xattr keys and values on the heap rather tha

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-12-05 Thread Alex Murray
Actually I just got it working - no need to send PoC @kerneldude - I made my own. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar St

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-12-05 Thread Alex Murray
So I managed to create a tar file with an extended attribute name of length of ~ 36 bytes long (the largest I can do without exceeding the existing check on maximum extended header lengths it seems) but this is not able to trigger the vuln - so if you are able to share your PoC that would be gr

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-12-04 Thread Alex Murray
@kerneldude - any chance you could share your poc (perhaps email it to secur...@ubuntu.com rather than post it publicly here)? I have tried creating one via the following but I hit the CLI args limit before I can get an xattr key long enough: touch bar tar --pax-option SCHILY.xattr.user.$(python3

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-11-30 Thread Alex Murray
Excellent - thanks for letting us know. So since a CVE has already been assigned then we won't assign an additional one. I'll add the details to our CVE tracker. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. h

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-11-30 Thread kerneldude
Yes, they reserved one, but with no details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39804 Feel free to assign a different one with information about the issue, or update the already reserved CVE number. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-39804 --

[Touch-packages] [Bug 2029464] Re: A stack overflow in GNU Tar

2023-11-29 Thread Alex Murray
@kerneldude - do you know if MITRE ever assigned a CVE for this? ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/b