[Reproducible-commits] [dpkg] 29/54: libdpkg: Fix an off-by-one read access in ar member name variable
Mattia Rizzolo
mattia at debian.org
Fri Jan 15 18:54:01 UTC 2016
This is an automated email from the git hooks/post-receive script.
mattia pushed a commit to branch pu/reproducible_builds
in repository dpkg.
commit c50e8dc2e9557181676808be96ae7594bf48ce8b
Author: Hanno Böck <hanno at hboeck.de>
Date: Thu Nov 19 01:31:19 2015 +0100
libdpkg: Fix an off-by-one read access in ar member name variable
The problem here is that due to the previous loop the variable ‘i’ can
be -1 and thus the expression in the conditional reads invalid memory.
[guillem at debian.org:
- Remove surrounding parenthesis. ]
Warned-by: afl
Signed-off-by: Guillem Jover <guillem at debian.org>
Stable-Candidate: 1.16.x 1.17.x
---
debian/changelog | 2 ++
lib/dpkg/ar.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 4270d18..32bba94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -22,6 +22,8 @@ dpkg (1.18.4) UNRELEASED; urgency=medium
* Fix an off-by-one write access in dpkg-deb when parsing the old format
.deb control member size. Thanks to Hanno Böck <hanno at hboeck.de>.
Fixes CVE-2015-0860.
+ * Fix an off-by-one read access in dpkg-deb when parsing ar member names.
+ Thanks to Hanno Böck <hanno at hboeck.de>.
* Test suite:
- Improve perl code test coverage.
* Build system:
diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c
index cf540a0..97eefb6 100644
--- a/lib/dpkg/ar.c
+++ b/lib/dpkg/ar.c
@@ -57,7 +57,7 @@ dpkg_ar_normalize_name(struct ar_hdr *arh)
name[i] = '\0';
/* Remove optional slash terminator (on GNU-style archives). */
- if (name[i] == '/')
+ if (i >= 0 && name[i] == '/')
name[i] = '\0';
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list