Sfoglia il codice sorgente

dpkg-deb: Fix off-by-one write access on ctrllenbuf variable

This affects old format .deb packages.

Fixes: CVE-2015-0860
Warned-by: afl
Signed-off-by: Guillem Jover <guillem@debian.org>
Stable-Candidate: 1.16.x 1.17.x
Hanno Böck 10 anni fa
parent
commit
c66cdd38c1
2 ha cambiato i file con 5 aggiunte e 2 eliminazioni
  1. 4 1
      debian/changelog
  2. 1 1
      dpkg-deb/extract.c

+ 4 - 1
debian/changelog

@@ -1,4 +1,4 @@
-dpkg (1.18.4) UNRELEASED; urgency=low
+dpkg (1.18.4) UNRELEASED; urgency=medium
 
   [ Guillem Jover ]
   * Switch dpkg-scansources and dpkg-scanpackages to use File::Find instead
@@ -19,6 +19,9 @@ dpkg (1.18.4) UNRELEASED; urgency=low
   * Add support for DPKG_MAINTSCRIPT_DEBUG environment variable to dpkg.
   * Fix dpkg-checkbuilddeps exit code to be 1 instead of a random error value
     on unsatisfied dependencies. Regression introduced in dpkg 1.18.3.
+  * Fix an off-by-one write access in dpkg-deb when parsing the old format
+    .deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
+    Fixes CVE-2015-0860.
   * Test suite:
     - Improve perl code test coverage.
   * Build system:

+ 1 - 1
dpkg-deb/extract.c

@@ -247,7 +247,7 @@ extracthalf(const char *debar, const char *dir,
     if (errstr)
       ohshit(_("archive has invalid format version: %s"), errstr);
 
-    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf));
+    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1);
     if (r < 0)
       read_fail(r, debar, _("archive control member size"));
     if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 ||