|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77586 phar_tar_writeheaders_int() buffer overflow
Submitted: 2019-02-08 11:16 UTC Modified: 2019-03-04 07:34 UTC
From: jordy at simplyhacker dot com Assigned: bishop (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.26 OS: Any
Private report: No CVE-ID: None
 [2019-02-08 11:16 UTC] jordy at simplyhacker dot com
A bufferoverflow has been found in the phar_tar_writeheaders_int() function.

As you can see on the following page.

it does a strncpy to header->linkname from entry->link with the size of entry->link.

As you can see in , header->linkname is a char of the size 100. Once entry->link contains a value that's bigger than 100 it will overflow the _tar_header structure.

This can be fixed by setting the size argument of strncpy to sizeof(header->linkname) for example:

strncpy(header.linkname, entry->link, strlen(header->linkname);

Kind Regards,

Jordy Zomer

Test script:
None yet.

Expected result:

Actual result:


issue-77586-buff-overflow (last revision 2019-02-13 05:17 UTC by
issue-77586-buff-overflow.patch (last revision 2019-02-11 21:16 UTC by
phar_tar_writeheaders.patch (last revision 2019-02-08 11:16 UTC by jordy at simplyhacker dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-10 02:00 UTC]
-Assigned To: +Assigned To: bishop
 [2019-02-11 18:16 UTC]
-Package: *Compression related +Package: PHAR related
 [2019-02-11 20:23 UTC]
-Status: Assigned +Status: Analyzed
 [2019-02-11 20:45 UTC]
Phar traverses the if (entry->link) condition only when the entry is a symlink. Bug 65332, however, prevents that from occurring.
 [2019-02-11 21:12 UTC]
-Status: Analyzed +Status: Verified
 [2019-02-11 21:16 UTC]
The following patch has been added/updated:

Patch Name: issue-77586-buff-overflow.patch
Revision:   1549919797
 [2019-02-11 21:20 UTC]
Unified diff against PHP-7.1 attached.
 [2019-02-12 14:59 UTC]
Classifying as LOW severity, because of aforementioned bug 65332, under the criterion:

> This issue allows theoretical compromise of security, but practical attack is usually impossible...
 [2019-02-12 15:01 UTC]
-Status: Verified +Status: Feedback
 [2019-02-12 15:01 UTC]
OP, please review patch and provide any additional comments before final merge.
 [2019-02-13 05:17 UTC]
The following patch has been added/updated:

Patch Name: issue-77586-buff-overflow
Revision:   1550035076
 [2019-02-13 08:16 UTC] jordy at simplyhacker dot com
-Status: Feedback +Status: Assigned
 [2019-02-13 08:16 UTC] jordy at simplyhacker dot com
Hey Bishop,

It looks like I don't have access to the patch.

Can you give me access or comment it?

Kind Regards,

 [2019-02-13 17:30 UTC]
Bishop, you can provide the patch as *secret* gist[1] which is
quite customary for security patches.

[1] <>
 [2019-02-13 18:22 UTC]
-Status: Assigned +Status: Feedback
 [2019-02-13 18:22 UTC]
Ack, @cmb. I had already emailed the patch to the OP, but will use a different approach for future sec bug.
 [2019-02-24 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2019-03-04 06:31 UTC]
-Status: No Feedback +Status: Open
 [2019-03-04 07:34 UTC]
-PHP Version: master-Git-2019-02-08 (Git) +PHP Version: 7.1.26
 [2019-03-04 07:35 UTC]
Automatic comment on behalf of stas
Log: Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow
 [2019-03-04 07:35 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Feb 26 21:01:31 2024 UTC