microtar Stack-Based Buffer Overflow Vulnerability in TAR Header Processing

A stack-based buffer overflow vulnerability has been identified in microtar versions through 0.1.0. The issue arises in the raw_to_header() function within src/microtar.c, where strcpy() is used to copy non-null-terminated name and linkname fields from a TAR archive into a destination buffer. This flaw allows attackers to overwrite adjacent stack memory by crafting a TAR archive that exploits the lack of null termination in these fields. The vulnerability is triggered when the library processes the manipulated TAR archives using mtar_open(), mtar_find(), or mtar_read_header().

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, where the overflowed data can overwrite return addresses on the stack. This type of memory corruption commonly allows for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a TAR file that includes 100 bytes of non-null data in the linkname field, followed by 255 bytes of non-null padding. This crafted TAR file, when opened with microtar, will cause the buffer overflow by overwriting adjacent stack memory. The same effect can be achieved by using non-null data in the name field instead of the linkname field.

Remediation

Users are advised to update to the patched version of microtar, where the vulnerability has been addressed by replacing strcpy() with bounded copy operations that ensure proper null termination.