Is there an existing issue for this?
Midnight Commander version and build configuration
4.8.33 (commit f03e97f25, and likely all prior versions)
Operating system
Is this issue reproducible using the latest version of Midnight Commander?
How to reproduce
-
Create a crafted cpio archive with a symlink entry where c_filesize is set to
a large value (e.g., 0xFFFFFFFF in new ASCII format or 77777777777 in old ASCII
format).
-
Victim opens the archive in Midnight Commander — e.g., navigates to the file in
mc and presses Enter to browse the archive.
-
MC's VFS layer calls cpio_open_archive() → cpio_read_head() →
cpio_create_entry(), which reaches the vulnerable allocation at line 521.
No further user interaction is required — the crash occurs during initial archive
parsing.
Expected behavior
When mc opens crafted.cpio:
cpio_read_head() parses the header and stores filesize = 0xFFFFFFFF into
st->st_sizecpio_create_entry() reaches line 521: g_malloc(0xFFFFFFFF + 1)- GLib attempts a 4 GB allocation — on systems without sufficient virtual memory
or with strict limits, GLib's allocator calls g_error() and aborts
- mc terminates immediately — before any content is displayed
Actual behavior
mc crashes when opening a crafted cpio archive.
The crash occurs during initial archive parsing before any user interaction.
Additional context
A missing input validation vulnerability exists in the cpio VFS handler's
cpio_create_entry() function. When a malformed cpio archive contains a symlink entry
with a large c_filesize field, the value is passed directly to g_malloc() and
mc_read() without any bounds checking or sanity validation.
On 64-bit Linux, the attacker-controlled filesize value flows into
g_malloc(st->st_size + 1), causing mc to attempt to allocate up to 4–8 GB of
memory. GLib's allocator calls g_error() and aborts when the allocation cannot be
satisfied, crashing mc. The mc_read() call then attempts to read up to 4 GB of
data from the archive file descriptor into the allocation.
No user interaction beyond opening the archive is required. The vulnerability fires
during initial archive parsing before any user action within mc.
Is there an existing issue for this?
Midnight Commander version and build configuration
Operating system
Is this issue reproducible using the latest version of Midnight Commander?
How to reproduce
Create a crafted cpio archive with a symlink entry where
c_filesizeis set toa large value (e.g.,
0xFFFFFFFFin new ASCII format or77777777777in old ASCIIformat).
Victim opens the archive in Midnight Commander — e.g., navigates to the file in
mc and presses Enter to browse the archive.
MC's VFS layer calls
cpio_open_archive()→cpio_read_head()→cpio_create_entry(), which reaches the vulnerable allocation at line 521.No further user interaction is required — the crash occurs during initial archive
parsing.
Expected behavior
When mc opens
crafted.cpio:cpio_read_head()parses the header and storesfilesize = 0xFFFFFFFFintost->st_sizecpio_create_entry()reaches line 521:g_malloc(0xFFFFFFFF + 1)or with strict limits, GLib's allocator calls
g_error()and abortsActual behavior
mc crashes when opening a crafted cpio archive.
The crash occurs during initial archive parsing before any user interaction.
Additional context
A missing input validation vulnerability exists in the cpio VFS handler's
cpio_create_entry()function. When a malformed cpio archive contains a symlink entrywith a large
c_filesizefield, the value is passed directly tog_malloc()andmc_read()without any bounds checking or sanity validation.On 64-bit Linux, the attacker-controlled
filesizevalue flows intog_malloc(st->st_size + 1), causing mc to attempt to allocate up to 4–8 GB ofmemory. GLib's allocator calls
g_error()and aborts when the allocation cannot besatisfied, crashing mc. The
mc_read()call then attempts to read up to 4 GB ofdata from the archive file descriptor into the allocation.
No user interaction beyond opening the archive is required. The vulnerability fires
during initial archive parsing before any user action within mc.