In association with heise online

10 November 2006, 14:10

Update closes DoS hole in FreeBSD

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

FreeBSD's developers have released an update for FreeBSD 6-STABLE, RELENG_6 and 6.2 RC1 to remove a DoS vulnerability in the libarchive library. Libarchive is used by tar and cpio, among others, to read and write streams. A flaw related to the skipping of a region at the end of a file can lead the libarchive into an infinite loop. This in turn ends up consuming all of a system's CPU resources until it no longer responds.

The FreeBSD advisory reports that this can occur even during the extraction of a rigged archive (tar -x) or during display of its contents (tar -t). The problem can also occur with other applications that use the library as well. Under normal circumstances, the developers of FreeBSD follow a policy of not issuing updates for local DoS vulnerabilities. Questioned by heise Security, Colin Percival from the FreeBSD security team explained that in this case a remote DoS hole is involved, since users typically download archives from non-trustworthy pages. Past flaws related to gzip behaved in a similar manner.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit