[dpkg] 21/200: dpkg: Fix use after free issue on error summary

Ximin Luo infinity0 at debian.org
Wed Apr 5 15:17:09 UTC 2017 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch master
in repository dpkg.

commit 89b80a3da82ea5b10b1500d6c531432d0ce585a5
Author: Guillem Jover <guillem at debian.org>
Date:   Thu Nov 10 16:42:13 2016 +0100

    dpkg: Fix use after free issue on error summary
    
    We are releasing the dpkg database now after running the commands, which
    means that the postponed error reporting summary was trying to print
    messages that had already been freed from the database memory pool.
    
    Duplicate the passed strings so that we are impervious to the database
    life-cycle.
    
    Regression introduced in commit 3404fd24ef8020b4d6dc17adb82d7e6c035d90dc.
    
    Closes: #843874
---
 debian/changelog | 4 ++++
 src/errors.c     | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index ff40966..3169791 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,10 @@ dpkg (1.18.14) UNRELEASED; urgency=medium
     - Do not set PIE options if they have been negated, and do not reset
       them if they have been requested.
     Closes: #843791, #843826
+  * Fix use after free error in dpkg. It was trying to print messages that
+    had already been freed as part of the database memory pool, causing in
+    some cases segfaults when reporting the error summary at the end.
+    Regression introduced in dpkg 1.18.11. Closes: #843874
   * Test suite:
     - Do not fail tests on missing fakeroot, just skip them.
   * Build system:
diff --git a/src/errors.c b/src/errors.c
index 0869235..3d2d719 100644
--- a/src/errors.c
+++ b/src/errors.c
@@ -47,7 +47,7 @@ static int nerrs = 0;
 
 struct error_report {
   struct error_report *next;
-  const char *what;
+  char *what;
 };
 
 static struct error_report *reports = NULL;
@@ -66,7 +66,7 @@ enqueue_error_report(const char *arg)
     abort_processing = true;
     nr= &emergency;
   }
-  nr->what= arg;
+  nr->what = m_strdup(arg);
   nr->next = NULL;
   *lastreport= nr;
   lastreport= &nr->next;
@@ -109,6 +109,7 @@ reportbroken_retexitstatus(int ret)
     fputs(_("Errors were encountered while processing:\n"),stderr);
     while (reports) {
       fprintf(stderr," %s\n",reports->what);
+      free(reports->what);
       reports= reports->next;
     }
   }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

More information about the Reproducible-commits mailing list