[Reproducible-commits] [dpkg] 16/18: dpkg-deb: Fix off-by-one write access on ctrllenbuf variable
Holger Levsen
holger at layer-acht.org
Tue May 3 08:44:23 UTC 2016
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to annotated tag 1.17.26
in repository dpkg.
commit c509097edc9d0f97620c50e4836b149c77acd898
Author: Hanno Böck <hanno at hboeck.de>
Date: Thu Nov 19 20:03:10 2015 +0100
dpkg-deb: Fix off-by-one write access on ctrllenbuf variable
This affects old format .deb packages.
Fixes: CVE-2015-0860
Warned-by: afl
Signed-off-by: Guillem Jover <guillem at debian.org>
---
debian/changelog | 3 +++
dpkg-deb/extract.c | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index a8bea7b..9b229aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ dpkg (1.17.26) UNRELEASED; urgency=low
[ Guillem Jover ]
* Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
Reported by Jacek Wielemborek <d33tah at gmail.com>. Closes: #798324
+ * Fix an off-by-one write access in dpkg-deb when parsing the old format
+ .deb control member size. Thanks to Hanno Böck <hanno at hboeck.de>.
+ Fixes CVE-2015-0860.
[ Updated programs translations ]
* Catalan (Jordi Mallach).
diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c
index 5c4c220..dda4de2 100644
--- a/dpkg-deb/extract.c
+++ b/dpkg-deb/extract.c
@@ -245,7 +245,7 @@ extracthalf(const char *debar, const char *dir,
if (errstr)
ohshit(_("archive has invalid format version: %s"), errstr);
- r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf));
+ r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1);
if (r < 0)
read_fail(r, debar, _("archive control member size"));
if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 ||
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list