[Reproducible-commits] [dpkg] 06/07: libdpkg: Fix an off-by-one read access in ar member name variable
Holger Levsen
holger at layer-acht.org
Tue May 3 08:44:00 UTC 2016
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to annotated tag 1.16.17
in repository dpkg.
commit efc9e395b91ecce0b4eb99fde975be6a0c8b1cb1
Author: Hanno Böck <hanno at hboeck.de>
Date: Thu Nov 19 01:31:19 2015 +0100
libdpkg: Fix an off-by-one read access in ar member name variable
The problem here is that due to the previous loop the variable ‘i’ can
be -1 and thus the expression in the conditional reads invalid memory.
[guillem at debian.org:
- Remove surrounding parenthesis. ]
Warned-by: afl
Signed-off-by: Guillem Jover <guillem at debian.org>
Stable-Candidate: 1.16.x 1.17.x
---
debian/changelog | 2 ++
lib/dpkg/ar.c | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index f228f4c..313f71f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ dpkg (1.16.16+nmu1) UNRELEASED; urgency=medium
* Fix an off-by-one write access in dpkg-deb when parsing the old format
.deb control member size. Thanks to Hanno Böck <hanno at hboeck.de>.
Fixes CVE-2015-0860.
+ * Fix an off-by-one read access in dpkg-deb when parsing ar member names.
+ Thanks to Hanno Böck <hanno at hboeck.de>.
[ Updated programs translations ]
* Catalan (Jordi Mallach).
diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c
index d11a030..b9c0c6f 100644
--- a/lib/dpkg/ar.c
+++ b/lib/dpkg/ar.c
@@ -45,7 +45,7 @@ dpkg_ar_normalize_name(struct ar_hdr *arh)
name[i] = '\0';
/* Remove optional slash terminator (on GNU-style archives). */
- if (name[i] == '/')
+ if (i >= 0 && name[i] == '/')
name[i] = '\0';
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list