[Reproducible-commits] [dpkg] 18/25: libdpkg: Escape package and architecture on control file parsing warning

Holger Levsen holger at layer-acht.org
Tue May 3 08:43:55 UTC 2016 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to annotated tag 1.16.16
in repository dpkg.

commit 1731337cd5d51f0f3d9696d97d0176baa9fadc05
Author: Guillem Jover <guillem at debian.org>
Date:   Fri Nov 7 20:49:26 2014 +0100

    libdpkg: Escape package and architecture on control file parsing warning
    
    Cherry picked from commit 446f11df6302716c2a1f993761ee54ecb44d42bb.
    
    The package and architecture names are injected into a variable that is
    used as a format string. Because these are user controlled, we need to
    format-escape them so that they become inert.
    
    Regression introduced in commmit 3be2cf607868adb9a2c0e5af06f20168a072eeb6.
    
    Fixes: CVE-2014-8625
    Closes: #768485
    Reported-by: Joshua Rogers <megamansec at gmail.com>
---
 debian/changelog     |  5 +++++
 lib/dpkg/parsehelp.c | 11 +++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 21ad2eb..9c29d6f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,11 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low
     Closes: #731530
   * Fix off-by-one error in libdpkg command argv size calculation.
     Based on a patch by Bálint Réczey <balint at balintreczey.hu>. Closes: #760690
+  * Escape package and architecture names on control file parsing warning,
+    as those get injected into a variable that is used as a format string,
+    and they come from the package fields, which are under user control.
+    Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
+    Reported by Joshua Rogers <megamansec at gmail.com>.
 
   [ Updated scripts translations ]
   * Fix typos in German (Helge Kreutzmann)
diff --git a/lib/dpkg/parsehelp.c b/lib/dpkg/parsehelp.c
index d9a574e..9e1d624 100644
--- a/lib/dpkg/parsehelp.c
+++ b/lib/dpkg/parsehelp.c
@@ -44,11 +44,14 @@ parse_error_msg(struct parsedb_state *ps, const char *fmt)
 
   str_escape_fmt(filename, ps->filename, sizeof(filename));
 
-  if (ps->pkg && ps->pkg->set->name)
+  if (ps->pkg && ps->pkg->set->name) {
+    char pkgname[256];
+
+    str_escape_fmt(pkgname, pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig),
+                   sizeof(pkgname));
     sprintf(msg, _("parsing file '%.255s' near line %d package '%.255s':\n"
-                   " %.255s"), filename, ps->lno,
-                   pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), fmt);
-  else
+                   " %.255s"), filename, ps->lno, pkgname, fmt);
+  } else
     sprintf(msg, _("parsing file '%.255s' near line %d:\n"
                    " %.255s"), filename, ps->lno, fmt);
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

More information about the Reproducible-commits mailing list