Debian Bug report logs -
#798324
dpkg-deb: Fix off-by-one write access on versionbuf variable
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 8 Sep 2015 06:12:01 UTC
Severity: normal
Tags: patch
Found in versions dpkg/1.18.2, dpkg/1.17.25, dpkg/1.16.10, dpkg/1.16.16
Fixed in versions dpkg/1.18.3, dpkg/1.17.26, dpkg/1.16.17
Done: Guillem Jover <guillem@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>:
Bug#798324; Package dpkg.
(Tue, 08 Sep 2015 06:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>.
(Tue, 08 Sep 2015 06:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: dpkg
Version: 1.18.2
Severity: normal
Tags: patch
The following was reported by Jacek Wielemborek:
----- Begin forwarded message -----
Dear Maintainer,
I built dpkg with afl-gcc and AFL_USE_ASAN=1. Here's the base64-encoded
.deb file it generated:
ITxhcmNoPopkZWJpYW4tYmluYXJ5ICAgMTQ0MTIxMTQ1NiAgMCAgICAgMCAgICAgMTAwNjQ0ICA0
ICAgICAgICAgYAoyLjAKY29udHJvbC50YXIuZ3ogIDE0NDEyMTE0NTYgIDAgICAgIDAgICAgIDEw
MDY0NCAgNDc1ICAgICAgIGAKH4sIAAAAAAACA+3RS4vbMBAAYJ/1K+bWBBK/uo6paZcWUmgpC4GE
3rXWJBarSEaSN00P/e1V/Ng+oO0ppYX5sLEsyTNjTZxEV5cGZVH0z+DnZz/O8qLMVnme9fNlmRYR
FNFf0DnPLUBkjfG/2/en9f9UnNRGe2vUlfu/urn5Vf+ztMh/7H+WPU9XEaTU/6vb8PqBH7CC9uwb
o5f4iR9bhY5tTWfrb/MC97xT3rGPaJ00uoI8LuMXy4y9sXUjPda+s2E7V4rdcal9uNFWcMe9byR3
8EEZh/BSmAfzWuC95Do29nDL3uvQAKVQLLfycwiwYmtsUQs3pYbZ7asp2XwxTob3p1K/3/Blzrah
lL7AYSfbWGms9OcKTHtZ4Iq9M0ds+79uvG+rJDmdTvGw/VJUEkpwtZXtEOcpz95Y8A3CZqhLcX3o
QhSYjYcDj8PZzBm8Hb9ZwBqPxgHXAnbGqCHIECCGXYPhTLhF2MtLAqlr1QkUYcD6TF3rvEV+nFIK
Gd7lfXcpLGYQrl0jHbRDEyEMOYj++FDX52l+AadG1s244iAEWvcdeOZgLJ1NGcZfgFndWYvaqzM8
hrOdxywihBBCCCGEEEIIIYQQQgghhBBCCCH/oK+zNHmVACgAAAo=
And here's the crash:
root@1442a2c3a089:~/fuzz/dpkg/o/crashes# dpkg --info
id\:000000\,sig\:06\,src\:000000\,op\:flip1\,pos\:7
=================================================================
==11286==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffbdcdf338 at pc 0x00000040cf49 bp 0x7fffbdcdef70 sp 0x7fffbdcdef68
WRITE of size 1 at 0x7fffbdcdf338 thread T0
#0 0x40cf48 (/usr/bin/dpkg-deb+0x40cf48)
#1 0x410dfe (/usr/bin/dpkg-deb+0x410dfe)
#2 0x4056e2 (/usr/bin/dpkg-deb+0x4056e2)
#3 0x7f38390b8b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#4 0x4074ca (/usr/bin/dpkg-deb+0x4074ca)
Address 0x7fffbdcdf338 is located in stack of thread T0 at offset 872 in
frame
#0 0x40b4bf (/usr/bin/dpkg-deb+0x40b4bf)
This frame has 13 object(s):
[32, 33) 'nlc'
[96, 100) 'dummy'
[160, 168) 'version'
[224, 232) 'ctrllennum'
[288, 304) 'err'
[352, 384) 'cmd'
[416, 424) 'p1'
[480, 488) 'p2'
[544, 604) 'arh'
[640, 784) 'stab'
[832, 872) 'versionbuf' <== Memory access at offset 872 overflows
this variable
[928, 968) 'ctrllenbuf'
[1024, 1224) 'buf'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x100077b93e10: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00
0x100077b93e20: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 f4
0x100077b93e30: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00
0x100077b93e40: 00 00 00 00 00 04 f2 f2 f2 f2 00 00 00 00 00 00
0x100077b93e50: 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4 f2 f2
=>0x100077b93e60: f2 f2 00 00 00 00 00[f4]f4 f4 f2 f2 f2 f2 00 00
0x100077b93e70: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
0x100077b93e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077b93e90: 00 00 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00
0x100077b93ea0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
0x100077b93eb0: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11286==ABORTING
To be on the safe side, I'm reporting it as a critical security vuln
because this is a memory error in the core component. Please contact me
on d33tah@gmail.com.
----- End forwarded message -----
Quoting Guillem:
> The .deb is an ar archive w/o the '\n' trailer on the «!<arch>» magic
> value. The dpkg-deb/extract.c:extracthalf() function calls read_line()
> passing to it versionbuf with the off-by-one length, that one writes
> 41 bytes into it (with a trailing \0), stomping on whatever is next in
> the stack. But this should in principle have no visible effect because
> regardless of how the compiler has organized the local stack, any
> subsequently used local variable is first assigned so the trailing \0
> would not be in effect, and versionbuf is only ever used to compare
> against shorter constant strings, which should all fail, the first
> against "!<arch>\n", then against "0.93", and after that it just
> aborts the program.
Attached is the corresponding patch.
Regards,
Salvatore
[0001-dpkg-deb-Fix-off-by-one-write-access-on-versionbuf-v.patch (text/x-diff, attachment)]
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#798324.
(Mon, 14 Sep 2015 03:48:16 GMT) (full text, mbox, link).
Message #8 received at 798324-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag 798324 pending
Hi!
Bug #798324 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/dpkg/dpkg.git/diff/?id=e65aa3d
---
commit e65aa3db04eb908c9507d5d356a95cedb890814d
Author: Guillem Jover <guillem@debian.org>
Date: Sun Sep 6 21:25:00 2015 +0200
dpkg-deb: Fix off-by-one write access on versionbuf variable
Closes: #798324
Warned-by: afl
Reported-by: Jacek Wielemborek <d33tah@gmail.com>
Stable-Candidate: 1.16.x 1.17.x
diff --git a/debian/changelog b/debian/changelog
index ace9a74..d45049b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,8 @@ dpkg (1.18.3) UNRELEASED; urgency=low
* Add kfreebsd-armhf support to ostable and triplettable. Closes: #796283
Thanks to Steven Chamberlain <steven@pyro.eu.org>.
* Fix «dpkg --verify» with --root.
+ * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
+ Reported by Jacek Wielemborek <d33tah@gmail.com>. Closes: #798324
* Perl modules:
- Only warn on invalid week days instead of aborting in
Dpkg::Changelog::Entry::Debian. Regression introduced in dpkg 1.18.2.
Added tag(s) pending.
Request was from Guillem Jover <guillem@debian.org>
to 798324-submitter@bugs.debian.org.
(Mon, 14 Sep 2015 03:48:16 GMT) (full text, mbox, link).
Reply sent
to Guillem Jover <guillem@debian.org>:
You have taken responsibility.
(Mon, 21 Sep 2015 06:06:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 21 Sep 2015 06:06:24 GMT) (full text, mbox, link).
Message #15 received at 798324-close@bugs.debian.org (full text, mbox, reply):
Source: dpkg
Source-Version: 1.18.3
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 798324@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 21 Sep 2015 07:11:42 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source
Version: 1.18.3
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 794688 794694 794977 795936 796283 796671 798324 798369 798370 798371
Changes:
dpkg (1.18.3) unstable; urgency=medium
.
[ Guillem Jover ]
* Fix short-lived memory leaks in start-stop-daemon. As a side effect now
a missing group after ‘:’ on --chuid is a fatal error.
* Print the master and slave links in «update-alternatives --display».
* Print the current best alternative in the head instead of the trail
in «update-alternatives --display», with a two space indentation.
* Reimplement «update-alternatives --all» as a fully built-in command
instead of executing itself with --config per subtask.
* Reimplement «update-alternatives --set-selections» as a fully built-in
command instead of executing itself with --set or --auto per subtask.
* Add kfreebsd-armhf support to ostable and triplettable. Closes: #796283
Thanks to Steven Chamberlain <steven@pyro.eu.org>.
* Fix «dpkg --verify» with --root.
* Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
Reported by Jacek Wielemborek <d33tah@gmail.com>. Closes: #798324
* Split overlong perl regexes into multiline extended regexes.
* Switch dselect multicd method license from GPL2 to GPL2+, with consent
from all its authors.
* Fix inadvertent license change for lib/dpkg/utils.c from GPL2 to GPL2+.
* Fix segfault when using «dpkg --no-act» with a synthetic --admindir.
Reported by David Kalnischkies <david@kalnischkies.de>.
* Perl modules:
- Only warn on invalid week days instead of aborting in
Dpkg::Changelog::Entry::Debian. Regression introduced in dpkg 1.18.2.
Reported by Jakub Wilk <jwilk@debian.org>.
- Do not warn when removing an empty subdirectory on source package
extraction in Dpkg::Source::Package::V2. Closes: #796671
- Do not abort on parse errors from Time::Piece->strptime() for the
changelog trailer date, just queue them so that the caller can decide
if they should be warnings or actual errors. Closes: #795936
- Validate the changelog trailer date, and catch and warn or error on
bogus month names, such as unknown or unabbreviated ones.
* Test suite:
- Get the reference build flags from dpkg-buildflags.pl, instead of
hardcoding them, which might not match depending on the architecture.
Closes: #794694
- Delete any environment variable starting with DEB_ in mk.t that might
affect the test results.
* Build system:
- Add a new --with-devlibdir configure option for the C libdpkg library.
* Packaging:
- Remove unneeded --sourcedir options from dh_install calls.
- Use the new --with-devlibdir configure option to only switch libdpkg-dev
files to the multi-arch directory. Closes: #794977
* Documentation:
- Fix typos for --predep-package option name. Closes: #794688
- Add missing dashes to package-list in deb-src-control(5).
- Mark each individual required field as such, instead of using segregated
sections.
.
[ Updated programs translations ]
* Catalan (Jordi Mallach).
* French (Sébastien Poher). Closes: #798371
* German (Sven Joachim).
* Vietnamese (Trần Ngọc Quân).
.
[ Updated dselect translations ]
* French (Sébastien Poher). Closes: #798370
.
[ Updated scripts translations ]
* French (Sébastien Poher). Closes: #798369
* German (Helge Kreutzmann).
.
[ Updated manpages translations ]
* German (Helge Kreutzmann).
Checksums-Sha1:
5d9b6ea29328c98d2362e13f3bfb8f13b72618ff 2021 dpkg_1.18.3.dsc
fa70b3ed84d8ed678a85b64a37f2a787cc678f26 4359884 dpkg_1.18.3.tar.xz
Checksums-Sha256:
472d01b4be4ac80f4f8b50b3cbbed07c23728fc1014d283eab5e9281896616a7 2021 dpkg_1.18.3.dsc
a40ffe38d7f36d858a752189a306433cfc52c7d15d7b98f61d9f9dd49e0e4807 4359884 dpkg_1.18.3.tar.xz
Files:
69573ae1565f820c925572e2c5bf253b 2021 admin required dpkg_1.18.3.dsc
a5ca138121cc37c8fb0083462a3b4d47 4359884 admin required dpkg_1.18.3.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV/5mpAAoJELlyvz6krlejXNIP/iirqbBKyKiM7zVidtNPwnR9
qGhxBcCJSPwamSlxc0eROtIOA0QiC7VBxr4Zl/HefwauOGDnrtFAw05lcO8BT/NU
0YMLP8GuWvi2/+q4/cltHk821M6+IR+13dGkhrMagoJR5FaXPz4zQ+L7DP+M2VM5
T50uvjw9xS9kofF/6caywEkitY9bzm843kW+Bk+qOF2is6uBp+kqY9JQj+egLS9a
nzLFjZg919DNimGr9MZZXSSxfxi3qx7WrXGokbnHD5K9crkKUDSxC3GoMs8zQV68
qqTXzmmwecy4sXbFcKHsPnSqabiMhKr2L3j9r1f1BMLxubnP61lc7Id9vLpi2EQE
rcMaO1MSHeOaD+xz9xUZsjGLHqf202qODK7fyBZ3btDgt4W/RM1yzaVeL3hT9Gt5
/ojCUjrv909xmWd9AgjafPD9uIrkBUqj1xWJvxo7U9dVlSTbpQP/Ok5Ne7hXO9jr
m2R30rd2dTByAqE5Qj3sWIAKeFRdopllwLW237NAhqiIsZRm/JlUPxfl64MhIZip
v0pFQyrkYqrRceMMmiadM3118Pp75Gyff5XT1PSKtxVCX/xUfyHI0fMt69Z6SYjM
uxF/rINjzyoPLoJ2MhVY1Mz+3+axXv9aNr9F2m9JMIsmgF98hYpidAhu0NE6BeBA
IMHq6XPCPApty4bZPnlM
=fD44
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 24 Oct 2015 07:26:43 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Nov 2015 15:57:14 GMT) (full text, mbox, link).
Marked as found in versions dpkg/1.17.25.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Nov 2015 15:57:15 GMT) (full text, mbox, link).
Marked as found in versions dpkg/1.16.16.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Nov 2015 15:57:16 GMT) (full text, mbox, link).
Marked as found in versions dpkg/1.16.10.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Nov 2015 15:57:17 GMT) (full text, mbox, link).
Reply sent
to Guillem Jover <guillem@debian.org>:
You have taken responsibility.
(Thu, 26 Nov 2015 21:21:31 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 26 Nov 2015 21:21:31 GMT) (full text, mbox, link).
Message #30 received at 798324-close@bugs.debian.org (full text, mbox, reply):
Source: dpkg
Source-Version: 1.17.26
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 798324@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Nov 2015 22:54:54 +0100
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.17.26
Distribution: jessie-security
Urgency: high
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 785095 798324 799020
Changes:
dpkg (1.17.26) jessie-security; urgency=high
.
[ Guillem Jover ]
* Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
Reported by Jacek Wielemborek <d33tah@gmail.com>. Closes: #798324
* Fix an off-by-one write access in dpkg-deb when parsing the old format
.deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
Fixes CVE-2015-0860.
* Fix an off-by-one read access in dpkg-deb when parsing ar member names.
Thanks to Hanno Böck <hanno@hboeck.de>.
.
[ Updated programs translations ]
* Catalan (Jordi Mallach).
* Turkish (Mert Dirik). Closes: #785095
.
[ Updated scripts translations ]
* German (Helge Kreutzmann). (Various fixes)
* Spanish (Santiago Vila). Closes: #799020
.
[ Updated manpages translations ]
* German (Helge Kreutzmann). (Various fixes)
Checksums-Sha1:
4d26f56352980cbc57a78608a184b5a3c5ff68f9 2018 dpkg_1.17.26.dsc
27e5649d983cae956268207bce59a70fe6379fe9 4410860 dpkg_1.17.26.tar.xz
fd4a781cf539aaf1295c7e9bf74a59e8d6519102 876250 libdpkg-dev_1.17.26_amd64.deb
ceac73c668ba615aaa6b362d48442c357ea9fff5 2990646 dpkg_1.17.26_amd64.deb
6fc7417719fb0dcba5976fe70541deed3500188f 1138140 dselect_1.17.26_amd64.deb
255b9b778d564260af540c71b07d186c01c19504 1544868 dpkg-dev_1.17.26_all.deb
c69b0ab1888620beda2bfb75b8cd5f9bd001e2d1 1071662 libdpkg-perl_1.17.26_all.deb
Checksums-Sha256:
aa6d4bf6a85bf8f469d64a5ec28a53486ab216c7d1dc87e05d8395fb4540cf33 2018 dpkg_1.17.26.dsc
aa4e758752cdfd7ecb118d7a7d31139a0c090c92aa494aa2e46603006deb1ec8 4410860 dpkg_1.17.26.tar.xz
725690fb240417a05d9b6442c00e50a61f599764a91edab7e0ae25116ba50859 876250 libdpkg-dev_1.17.26_amd64.deb
95599abfb639919c49f45fc5dd2aa6b0cb9f9703c3d4eac4b5a5dee9c8bce4be 2990646 dpkg_1.17.26_amd64.deb
f3f16a6ec68a4ad2b02b796340d3deca42fffa646b1b469006a7dd00165fd373 1138140 dselect_1.17.26_amd64.deb
3a831ae1b534677c664c84be3d3930720a7db32e9d177e27a5048ef807ef3113 1544868 dpkg-dev_1.17.26_all.deb
8871dcffccbdea243fdd5cd98b18895b7b9bee074be7fce7458a493f6e6fc174 1071662 libdpkg-perl_1.17.26_all.deb
Files:
50037d0f2e9f98fe8fccae80aac4add4 2018 admin required dpkg_1.17.26.dsc
07911f1c575f196f108a3c19c5bd517e 4410860 admin required dpkg_1.17.26.tar.xz
ad024fd557a6e958f18ac96a79328edf 876250 libdevel optional libdpkg-dev_1.17.26_amd64.deb
303a76790d0823abb91e88e6ea6a6a71 2990646 admin required dpkg_1.17.26_amd64.deb
33746c56b130230a079cc5f6c2d32044 1138140 admin optional dselect_1.17.26_amd64.deb
33f80c3a5bbab02ca909fb252ff0b91f 1544868 utils optional dpkg-dev_1.17.26_all.deb
bf7f0c73d5e8e47c67f46e03e48571a7 1071662 perl optional libdpkg-perl_1.17.26_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWVthdAAoJELlyvz6krlej29AP/RBtN+fseWtki+KIAtOqgSX3
EXeF8jwTBFsHDjGtumHryELgWcLHNdTVi+CXLSofhVz2GL8DkXewYUwEmmS7SaKn
dFdtsJjAfEjDAJ87iUgqM4Iot9v6c/WfhNHWowvmQ1x0AyVwhymaTfM0JHmR2vWf
VvXuUxlHulCkhsF0VGiP8+B93ruAooSCdnKexZzHR03L/mAPVUwXR3p3U5IZk5Yt
Q/gannxhlbBgBucUYnRh3WV+DB7U7UlHYXk2wbQzY4QUUu7HfmblyeIZnhOdz8+s
Q4+0vn2Ni6CMbRdFP/txl67QDZZgazWVJpQoapzk9OQQ4FO73CQ5s+utZm6bDPIy
2zbeGzUzX+AUiDVP2SYr4Vvv0wRU4hwf6beU40xjGit90SUZ2xy//iw7O7YokHZ4
eR4LMMVefHb0okS0HISHfZILfJaWCpI5YXwQH09mqLJY0OhVruxawn69HrU1z1vs
j2uEAv+BPCfuzhuVDFnFV0IK4pVRMMFINaRZAi4fPnzEyAA5zD7Wwlbwt2d4a9GX
ZpUNnXp2hkixR7vPK6fZkdIc/RSByZyQ+wqt4uyu5M4R3n4Kv4VbOzyppmdiTkcz
mUR/LTolGh+CqpsyCMBeqn0l+flmo1KAKSP6WDRrAS3MGo2doQCsubntAKVjAMmV
PMyNIxZb12mEmsUQQEON
=G83v
-----END PGP SIGNATURE-----
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#798324.
(Thu, 26 Nov 2015 23:51:03 GMT) (full text, mbox, link).
Message #33 received at 798324-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag 798324 pending
Hi!
Bug #798324 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/dpkg/dpkg.git/diff/?id=8091366
---
commit 80913664ab1ab876128ede7e0967346cf7c48dce
Author: Guillem Jover <guillem@debian.org>
Date: Sun Sep 6 21:25:00 2015 +0200
dpkg-deb: Fix off-by-one write access on versionbuf variable
Cherry picked from commit e65aa3db04eb908c9507d5d356a95cedb890814d.
Closes: #798324
Warned-by: afl
Reported-by: Jacek Wielemborek <d33tah@gmail.com>
diff --git a/debian/changelog b/debian/changelog
index baad669..d5db844 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
dpkg (1.16.16+nmu1) UNRELEASED; urgency=medium
+ [ Guillem Jover ]
+ * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
+ Reported by Jacek Wielemborek <d33tah@gmail.com>. Closes: #798324
+
[ Updated programs translations ]
* Catalan (Jordi Mallach).
Added tag(s) pending.
Request was from Guillem Jover <guillem@debian.org>
to 798324-submitter@bugs.debian.org.
(Thu, 26 Nov 2015 23:51:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#798324.
(Thu, 26 Nov 2015 23:57:06 GMT) (full text, mbox, link).
Message #38 received at 798324-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag 798324 pending
Hi!
Bug #798324 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/dpkg/dpkg.git/diff/?id=33982c8
---
commit 33982c80d720689586b43c50e56ad018783080e2
Author: Guillem Jover <guillem@debian.org>
Date: Sun Sep 6 21:25:00 2015 +0200
dpkg-deb: Fix off-by-one write access on versionbuf variable
Cherry picked from commit e65aa3db04eb908c9507d5d356a95cedb890814d.
Closes: #798324
Warned-by: afl
Reported-by: Jacek Wielemborek <d33tah@gmail.com>
diff --git a/debian/changelog b/debian/changelog
index 636048d..a8bea7b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
dpkg (1.17.26) UNRELEASED; urgency=low
+ [ Guillem Jover ]
+ * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
+ Reported by Jacek Wielemborek <d33tah@gmail.com>. Closes: #798324
+
[ Updated programs translations ]
* Catalan (Jordi Mallach).
* Turkish (Mert Dirik). Closes: #785095
Reply sent
to Guillem Jover <guillem@debian.org>:
You have taken responsibility.
(Tue, 22 Dec 2015 21:51:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 22 Dec 2015 21:51:18 GMT) (full text, mbox, link).
Message #43 received at 798324-close@bugs.debian.org (full text, mbox, reply):
Source: dpkg
Source-Version: 1.16.17
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 798324@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 25 Nov 2015 22:34:58 +0100
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.17
Distribution: wheezy-security
Urgency: high
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 798324
Changes:
dpkg (1.16.17) wheezy-security; urgency=high
.
[ Guillem Jover ]
* Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
Reported by Jacek Wielemborek <d33tah@gmail.com>. Closes: #798324
* Fix an off-by-one write access in dpkg-deb when parsing the old format
.deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
Fixes CVE-2015-0860.
* Fix an off-by-one read access in dpkg-deb when parsing ar member names.
Thanks to Hanno Böck <hanno@hboeck.de>.
.
[ Updated programs translations ]
* Catalan (Jordi Mallach).
.
[ Updated man page translations ]
* Fix incorrect translation in German (Helge Kreutzmann)
Checksums-Sha1:
dc85f886687b24fdd0eb476388e704bcf25c1110 1960 dpkg_1.16.17.dsc
2573b422a5aa67464c53dabc4eeb43ff44f7b040 3806316 dpkg_1.16.17.tar.xz
994bcc29756cf36abd416e3ba6a95625cc4257ac 702054 libdpkg-dev_1.16.17_amd64.deb
0fa355c4a4dbf3d850b9f3a4fb48438e2aa860b6 2662834 dpkg_1.16.17_amd64.deb
d75a476a62a3662d55f1a6d5ebe11c669702bcae 1165346 dselect_1.16.17_amd64.deb
83d8725992b3f66582235911296f94fb11c4d002 1363258 dpkg-dev_1.16.17_all.deb
43304a79ce13a922ea8099850e6c29f7532460bc 964040 libdpkg-perl_1.16.17_all.deb
Checksums-Sha256:
d0b6fc4b038bd1006a84d89602b1311054ce184c66be8d1b56e33b717ce6020c 1960 dpkg_1.16.17.dsc
4b2bd4c7725b78424e781049e628f20e6017a5dc847ba85d29e08f04e8c85a4a 3806316 dpkg_1.16.17.tar.xz
f340e5a46aa07236609f97908fcdad8e6021a499c8f5f8d55dcdbbc1cebf957a 702054 libdpkg-dev_1.16.17_amd64.deb
561b106818253b23cc7af7c801b5779138c141dac1d59de0895cb996790d06d4 2662834 dpkg_1.16.17_amd64.deb
f7f2a99a3c130155dff06295107c644289e298e5c486a2e46ef06d4dcb6b9f9c 1165346 dselect_1.16.17_amd64.deb
8a5738e142130d0490e6439bcd2533dad7d3f93138318ee7244ab5294cecb9b6 1363258 dpkg-dev_1.16.17_all.deb
4653c323f02428d2c2f5d6ae4c5567295e288f04d51503f846bbce434aacbf5a 964040 libdpkg-perl_1.16.17_all.deb
Files:
2b314e6b617de3a64754483d90f42ef7 1960 admin required dpkg_1.16.17.dsc
0a88e4f676c09e5b43ebd9b27caebdac 3806316 admin required dpkg_1.16.17.tar.xz
e5f6ee479e932231ab1c3dbee4187c13 702054 libdevel optional libdpkg-dev_1.16.17_amd64.deb
97ed0691db824b2e32eef37e66955bf5 2662834 admin required dpkg_1.16.17_amd64.deb
cf3cef9ccd8e4a7c50b43689e8492bcd 1165346 admin optional dselect_1.16.17_amd64.deb
c0f9a9357aa1f9c54673ee643426213e 1363258 utils optional dpkg-dev_1.16.17_all.deb
daa35589c8f16b55ba4db9baa3f1cfae 964040 perl optional libdpkg-perl_1.16.17_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWVthrAAoJELlyvz6krlej1tsP/0xEJoPEHTm+XC0pOE6ZRanO
M9e2Z/r9PPhNQtjM23yO0dL2VmYHA2S3YhB+0CqrPM25x3w+rMeKsoRMFAEMd8pK
eLV9w8E3Q86972ksmhq0v6ks2bUMgAmFXIwvxscn+p1PPzDZVr2zoVKSnzKj8P4l
WyNn3EvAorupppGj5jKA+i23n2o6JUzcp2KV3TcO5lvCku3sHCtYy6SBSFjrXuOd
/dM8741dk7ezse+BxGiWHfuPpyHYyN739FVQ1krQ8K/p9c0wRBMeejh4wcQMMy8z
i9G2kuNerWXIFGPbLigytFKYA+eNNGHxeYTGcJfeLnphdN7gGIMbwUB1AerrGR3D
DYum6+zK4OGymb36iSsMb0FwfXvZwNZpoKTPGdzLOjnpor6ggJK0Ew8bKQd44GmE
6JfRvxaNUS0a31OtkGTBo2XpqlwifWHfdhTCYA4K8tKtbnFXYB7ciqnOGwCPXyb0
yqSHRDvTdHzfD+xC+8ymVm79Pg6Um+y/tohahPFD7Wyhx8wwrcSAJN8kbGwtEolC
LXay8bJ+is+ZGpf5+2JjkxYQM3BiJzQbiNDae/OgpYzVd4c52RHXiTvYVJKdrpbp
L9/JlqoAsVaQ3uGPeyBBgLzMo/6Y9jIBa0ePidq9uevVEGhS2uSEpTVluNMQd9m+
DN1zMdGKNS7CaHBnRYGY
=ndpI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 20 Jan 2016 07:28:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Aug 2 03:51:55 2024;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.