Re: HFS+ specific vulnerability
Ben Hutchings <ben@decadent.org.uk> writes:
> [ Unknown signature status ]
> On Thu, 2016-06-02 at 17:39 +1000, Brian May wrote:
>> Hello,
>>
>> Do we care about vulerabilities that are specific to HFS+?
>>
>> http://www.talosintel.com/reports/TALOS-2016-0093/
>> CVE-2016-2334
>
> If a program automatically detects file formats then every supported
> file format is part of its attack surface. I don't think we can rule
> out certain formats as too obscure. (See for example the recent
> attacks on ImageMagick/GraphicsMagick using a format that most people
> never heard of before. The fix there was to disable support for that
> format by default.)
... except we are not talking about file formats here, but different
file systems.
e.g. the HFS+ looks like it is specific to stuff that is stored in the
resource fork on HFS+.
The guess the big question is if a specially crafted file can cause a
crash on a system without HFS+ resource forks. I am not sure if it is
possible to access HFS+ resource forks using the Linux filesystem driver
or not, and if it is whether pk7zip supports this.
>From the detailed description it says "During extraction from HFS+ image
having compressed files with “com.apple.decmpfs” attribute and data
stored in resource fork we land in above code."
At a guess if you don't have the HFS+ resource fork to extract into then
the problem code will never get called.
Suspect UDF might be similar, if you don't have a UDF filesystem the
vulnerable code will not get called.
Will continue to check the code to make sure.
--
Brian May <bam@debian.org>
Reply to: