[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HFS+ specific vulnerability

Ben Hutchings <ben@decadent.org.uk> writes:

> [ Unknown signature status ]
> On Thu, 2016-06-02 at 17:39 +1000, Brian May wrote:
>> Hello,
>> Do we care about vulerabilities that are specific to HFS+?
>> http://www.talosintel.com/reports/TALOS-2016-0093/
>> CVE-2016-2334
> If a program automatically detects file formats then every supported
> file format is part of its attack surface.  I don't think we can rule
> out certain formats as too obscure.  (See for example the recent
> attacks on ImageMagick/GraphicsMagick using a format that most people
> never heard of before.  The fix there was to disable support for that
> format by default.)

... except we are not talking about file formats here, but different
file systems.

e.g. the HFS+ looks like it is specific to stuff that is stored in the
resource fork on HFS+.

The guess the big question is if a specially crafted file can cause a
crash on a system without HFS+ resource forks. I am not sure if it is
possible to access HFS+ resource forks using the Linux filesystem driver
or not, and if it is whether pk7zip supports this.

>From the detailed description it says "During extraction from HFS+ image
having compressed files with “com.apple.decmpfs” attribute and data
stored in resource fork we land in above code."

At a guess if you don't have the HFS+ resource fork to extract into then
the problem code will never get called.

Suspect UDF might be similar, if you don't have a UDF filesystem the
vulnerable code will not get called.

Will continue to check the code to make sure.
Brian May <bam@debian.org>

Reply to: