[Reproducible-commits] [dpkg] 18/25: libdpkg: Escape package and architecture on control file parsing warning
Holger Levsen
holger at layer-acht.org
Tue May 3 08:43:55 UTC 2016
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to annotated tag 1.16.16
in repository dpkg.
commit 1731337cd5d51f0f3d9696d97d0176baa9fadc05
Author: Guillem Jover <guillem at debian.org>
Date: Fri Nov 7 20:49:26 2014 +0100
libdpkg: Escape package and architecture on control file parsing warning
Cherry picked from commit 446f11df6302716c2a1f993761ee54ecb44d42bb.
The package and architecture names are injected into a variable that is
used as a format string. Because these are user controlled, we need to
format-escape them so that they become inert.
Regression introduced in commmit 3be2cf607868adb9a2c0e5af06f20168a072eeb6.
Fixes: CVE-2014-8625
Closes: #768485
Reported-by: Joshua Rogers <megamansec at gmail.com>
---
debian/changelog | 5 +++++
lib/dpkg/parsehelp.c | 11 +++++++----
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 21ad2eb..9c29d6f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,11 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low
Closes: #731530
* Fix off-by-one error in libdpkg command argv size calculation.
Based on a patch by Bálint Réczey <balint at balintreczey.hu>. Closes: #760690
+ * Escape package and architecture names on control file parsing warning,
+ as those get injected into a variable that is used as a format string,
+ and they come from the package fields, which are under user control.
+ Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
+ Reported by Joshua Rogers <megamansec at gmail.com>.
[ Updated scripts translations ]
* Fix typos in German (Helge Kreutzmann)
diff --git a/lib/dpkg/parsehelp.c b/lib/dpkg/parsehelp.c
index d9a574e..9e1d624 100644
--- a/lib/dpkg/parsehelp.c
+++ b/lib/dpkg/parsehelp.c
@@ -44,11 +44,14 @@ parse_error_msg(struct parsedb_state *ps, const char *fmt)
str_escape_fmt(filename, ps->filename, sizeof(filename));
- if (ps->pkg && ps->pkg->set->name)
+ if (ps->pkg && ps->pkg->set->name) {
+ char pkgname[256];
+
+ str_escape_fmt(pkgname, pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig),
+ sizeof(pkgname));
sprintf(msg, _("parsing file '%.255s' near line %d package '%.255s':\n"
- " %.255s"), filename, ps->lno,
- pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), fmt);
- else
+ " %.255s"), filename, ps->lno, pkgname, fmt);
+ } else
sprintf(msg, _("parsing file '%.255s' near line %d:\n"
" %.255s"), filename, ps->lno, fmt);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list