[Reproducible-commits] [dpkg] 28/54: dpkg-deb: Fix off-by-one write access on ctrllenbuf variable

Mattia Rizzolo mattia at debian.org
Fri Jan 15 18:54:01 UTC 2016 

This is an automated email from the git hooks/post-receive script.

mattia pushed a commit to branch pu/reproducible_builds
in repository dpkg.

commit c66cdd38c195a44c33e73d016372ac0ef775c4de
Author: Hanno Böck <hanno at hboeck.de>
Date:   Thu Nov 19 20:03:10 2015 +0100

    dpkg-deb: Fix off-by-one write access on ctrllenbuf variable
    
    This affects old format .deb packages.
    
    Fixes: CVE-2015-0860
    Warned-by: afl
    Signed-off-by: Guillem Jover <guillem at debian.org>
    Stable-Candidate: 1.16.x 1.17.x
---
 debian/changelog   | 5 ++++-
 dpkg-deb/extract.c | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index a2f858c..4270d18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-dpkg (1.18.4) UNRELEASED; urgency=low
+dpkg (1.18.4) UNRELEASED; urgency=medium
 
   [ Guillem Jover ]
   * Switch dpkg-scansources and dpkg-scanpackages to use File::Find instead
@@ -19,6 +19,9 @@ dpkg (1.18.4) UNRELEASED; urgency=low
   * Add support for DPKG_MAINTSCRIPT_DEBUG environment variable to dpkg.
   * Fix dpkg-checkbuilddeps exit code to be 1 instead of a random error value
     on unsatisfied dependencies. Regression introduced in dpkg 1.18.3.
+  * Fix an off-by-one write access in dpkg-deb when parsing the old format
+    .deb control member size. Thanks to Hanno Böck <hanno at hboeck.de>.
+    Fixes CVE-2015-0860.
   * Test suite:
     - Improve perl code test coverage.
   * Build system:
diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c
index 91445c6..6c63498 100644
--- a/dpkg-deb/extract.c
+++ b/dpkg-deb/extract.c
@@ -247,7 +247,7 @@ extracthalf(const char *debar, const char *dir,
     if (errstr)
       ohshit(_("archive has invalid format version: %s"), errstr);
 
-    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf));
+    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1);
     if (r < 0)
       read_fail(r, debar, _("archive control member size"));
     if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 ||

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

More information about the Reproducible-commits mailing list