Report forwarded
to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>: Bug#769111; Package dpkg.
(Tue, 11 Nov 2014 12:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Joshua Rogers <megamansec@gmail.com>:
New Bug report received and forwarded. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>.
(Tue, 11 Nov 2014 12:15:07 GMT) (full text, mbox, link).
Package: dpkg
Version: 1.16.1.2
Tags: bug, security
This doesn't seem to be a vulnerability, but more of a bug..
Best that the devs look at it rather than me, though.
I'm using v1.16.1.2ubuntu7.5, but it is probably there in more recent
versions
With the control file:
> : 1
> a: %s
dpkg-deb --build will segfault.
It will not segfault if you put something before
> : 1
and will not segfault if
> a: %s
does not contain a "%" symbol.
Here's a gdb backtrace:
> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>,
> format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
> 1630 vfprintf.c: No such file or directory.
> (gdb) bt
> #0 0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>,
> format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
> #1 0x00007ffff76fd3e0 in ___vsnprintf_chk (s=0x7fffffffd640 "parsing
> file 'lol/DEBIAN/control' near line 2 package '1:%s':\n 'must start
> with an alphanumeric' is not a valid architecture name: \367\377\177",
> maxlen=<optimised out>, flags=1, slen=<optimised out>,
> format=0x649940 "parsing file 'lol/DEBIAN/control' near line 2 package
> '1:%s':\n '%s' is not a valid architecture name: %s", args=0x7fffffffda68)
> at vsnprintf_chk.c:65
> #2 0x0000000000414b27 in vsnprintf (__ap=<optimised out>,
> __fmt=<optimised out>, __n=1024,
> __s=0x7fffffffd640 "parsing file 'lol/DEBIAN/control' near line 2
> package '1:%s':\n 'must start with an alphanumeric' is not a valid
> architecture name: \367\377\177") at
> /usr/include/x86_64-linux-gnu/bits/stdio2.h:78
> #3 warningv (fmt=<optimised out>, args=<optimised out>) at ehandle.c:392
> #4 0x0000000000422199 in parse_warn (ps=<optimised out>,
> fmt=<optimised out>) at parsehelp.c:75
> #5 0x000000000041db26 in parse_stanza (ps=0x7fffffffddf0,
> fs=0x7fffffffde30, parse_field=0x41bbe0 <pkg_parse_field>,
> parse_obj=0x7fffffffde70) at parse.c:478
> #6 0x000000000041ebb6 in parsedb (filename=0x65e120
> "lol/DEBIAN/control", flags=<optimised out>, donep=0x7fffffffdfe0) at
> parse.c:547
> #7 0x0000000000404004 in check_new_pkg (dir=0x7fffffffe3c5 "lol") at
> build.c:335
> #8 do_build (argv=<optimised out>) at build.c:436
> #9 0x00000000004029e1 in main (argc=<optimised out>,
> argv=0x7fffffffe168) at main.c:206
> #10 0x00007ffff761576d in __libc_start_main (main=0x402860 <main>,
> argc=3, ubp_av=0x7fffffffe158, init=<optimised out>, fini=<optimised
> out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe148) at
> libc-start.c:226
> #11 0x0000000000402ac5 in _start ()
A quick guess is that because the
> : 1
part of the file does not have a 'name', it trys to call a NULL.
Somebody should check if I'm right, though.
Thanks,
--
-- Joshua Rogers <https://internot.info/>
Information forwarded
to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>: Bug#769111; Package dpkg.
(Tue, 11 Nov 2014 13:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Guillem Jover <guillem@debian.org>:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>.
(Tue, 11 Nov 2014 13:45:06 GMT) (full text, mbox, link).
To: Joshua Rogers <megamansec@gmail.com>, 769111@bugs.debian.org
Subject: Re: Bug#769111: dpkg bug/vuln v2
Date: Tue, 11 Nov 2014 14:41:30 +0100
Control: clone -1 -2
Control: retitle -1 dpkg: Control parser segfaults on empty field names
Control: fixed -1 1.17.2
Control: retitle -2 dpkg: Control parser incorrectly matches on partial field names
Control: tags -2
Hi!
On Tue, 2014-11-11 at 23:13:09 +1100, Joshua Rogers wrote:
> Package: dpkg
> Version: 1.16.1.2
> Tags: bug, security
>
> This doesn't seem to be a vulnerability, but more of a bug..
> Best that the devs look at it rather than me, though.
>
> I'm using v1.16.1.2ubuntu7.5, but it is probably there in more recent
> versions
Part of this got fixed in 1.17.2, but it's still there in the latest
release in the 1.16.x branch. I'll queue the fix for that one.
> With the control file:
>
> > : 1
> > a: %s
>
> dpkg-deb --build will segfault.
>
> It will not segfault if you put something before
> > : 1
> and will not segfault if
This is the empty field issue. With a new enough dpkg it says this
instead:
$ dpkg-deb -b pkg-bogus-field
dpkg-deb: error: parsing file 'pkg-bogus-field/DEBIAN/control' near line 0:
empty field name
> > a: %s
> does not contain a "%" symbol.
This is just the format string issue reported before, it affects only
the Package and Architecture fields. The problem here is that the
parser is matching partial strings against field names, so that's
wrong, and I'm fixing this separately.
Thanks,
Guillem
Bug 769111 cloned as bug 769119
Request was from Guillem Jover <guillem@debian.org>
to 769111-submit@bugs.debian.org.
(Tue, 11 Nov 2014 13:45:06 GMT) (full text, mbox, link).
Changed Bug title to 'dpkg: Control parser segfaults on empty field names' from 'dpkg bug/vuln v2'
Request was from Guillem Jover <guillem@debian.org>
to 769111-submit@bugs.debian.org.
(Tue, 11 Nov 2014 13:45:07 GMT) (full text, mbox, link).
Marked as fixed in versions dpkg/1.17.2.
Request was from Guillem Jover <guillem@debian.org>
to 769111-submit@bugs.debian.org.
(Tue, 11 Nov 2014 13:45:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>: Bug#769111; Package dpkg.
(Wed, 12 Nov 2014 17:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Joshua Rogers <megamansec@gmail.com>:
Extra info received and forwarded to list. Copy sent to Dpkg Developers <debian-dpkg@lists.debian.org>.
(Wed, 12 Nov 2014 17:45:08 GMT) (full text, mbox, link).
On 12/11/14 00:41, Guillem Jover wrote:
> : 1
>> and will not segfault if
> This is the empty field issue. With a new enough dpkg it says this
> instead:
>
> $ dpkg-deb -b pkg-bogus-field
> dpkg-deb: error: parsing file 'pkg-bogus-field/DEBIAN/control' near line 0:
> empty field name
>
>>> a: %s
>> does not contain a "%" symbol.
> This is just the format string issue reported before, it affects only
> the Package and Architecture fields. The problem here is that the
> parser is matching partial strings against field names, so that's
> wrong, and I'm fixing this separately.
>
Great, thanks!
--
-- Joshua Rogers <https://internot.info/>
Subject: Bug#769111 in package dpkg marked as pending
Date: Mon, 25 Apr 2016 21:13:57 +0000
Control: tag 769111 pending
Hi!
Bug #769111 in package dpkg reported by you has been fixed in
the dpkg/dpkg.git Git repository. You can see the changelog below, and
you can check the diff of the fix at:
https://anonscm.debian.org/cgit/dpkg/dpkg.git/diff/?id=0da09cb
---
commit 0da09cb9b0e247e91cabd7c94d82c686045a9555
Author: Guillem Jover <guillem@debian.org>
Date: Thu Sep 19 19:28:49 2013 +0200
libdpkg: Do not accept empty field names
Cherry picked from commit eecc61381b687a7ed6af65427e115dd4d2c765b6.
These are just bogus, and should have never been accepted.
Closes: #769111
diff --git a/debian/changelog b/debian/changelog
index 15e35cc..4b6381b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,7 @@ dpkg (1.16.18) UNRELEASED; urgency=medium
* Fix memory leaks in dpkg infodb format upgrade logic.
* Fix physical file offset comparison in dpkg. Closes: #808912
Thanks to Yuri Gribov <tetra2005@gmail.com>.
+ * Do not accept empty field names in dpkg. Closes: #769111
-- Guillem Jover <guillem@debian.org> Sat, 19 Mar 2016 19:13:34 +0100
Added tag(s) pending.
Request was from Guillem Jover <guillem@debian.org>
to 769111-submitter@bugs.debian.org.
(Mon, 25 Apr 2016 21:15:14 GMT) (full text, mbox, link).
Reply sent
to Guillem Jover <guillem@debian.org>:
You have taken responsibility.
(Mon, 02 May 2016 18:21:12 GMT) (full text, mbox, link).
Notification sent
to Joshua Rogers <megamansec@gmail.com>:
Bug acknowledged by developer.
(Mon, 02 May 2016 18:21:12 GMT) (full text, mbox, link).
Source: dpkg
Source-Version: 1.16.18
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 769111@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 20 Mar 2016 10:23:24 +0100
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.18
Distribution: wheezy
Urgency: medium
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 769111788819789580801156807940808912
Changes:
dpkg (1.16.18) wheezy; urgency=medium
.
* Remove trailing space before handling blank line dot-separator in
Dpkg::Control::Hash. Regression introduced in dpkg 1.16.16.
Reported by Jakub Wilk <jwilk@debian.org>. Closes: #789580
* Only use the SHELL environment variable for interactive shells.
Closes: #788819
* Move tar option --no-recursion before -T in dpkg-deb. With tar > 1.28 the
--no-recursion option is now positional, and needs to be passed before
the -T option, otherwise the tarball will end up with duplicated entries.
Thanks to Richard Purdie <richard.purdie@linuxfoundation.org>.
Closes: #807940
* Initialize Config-Version also for packages previously in triggers-pending
state, otherwise we end up not passing the previously configured version
to «postinst configure», which might consider this a first install instead
of an upgrade. Closes: #801156
* Fix memory leaks in dpkg infodb format upgrade logic.
* Fix physical file offset comparison in dpkg. Closes: #808912
Thanks to Yuri Gribov <tetra2005@gmail.com>.
* Do not accept empty field names in dpkg. Closes: #769111
* When sys_siglist is defined in the system, try to use NSIG as we cannot
compute the array size with sizeof(). If NSIG is missing fallback to 32
items. Prompted by Igor Pashev <pashev.igor@gmail.com>.
Checksums-Sha1:
927632d95de57066f976c166259bf1ab560cfc9b 1960 dpkg_1.16.18.dsc
9c42d305a303471b5bb27a1dc240df315e9e435f 3806456 dpkg_1.16.18.tar.xz
9684dd1de5f9426e4cbbb44906d80396653cb7a2 704976 libdpkg-dev_1.16.18_amd64.deb
090c73cdee05c12d61e35d2c68fab9673407c721 2665244 dpkg_1.16.18_amd64.deb
bd073893f8d1bb0b181684d8cb8f2613ace3acba 1168138 dselect_1.16.18_amd64.deb
30f3cb0cb41523f5edbfae105e3a0fbe69e4344c 1365896 dpkg-dev_1.16.18_all.deb
8b3965ce2a0bc035ce7d028c6f7e54710c9e782d 966166 libdpkg-perl_1.16.18_all.deb
Checksums-Sha256:
f01e95253883db2185b70f2545390966de9dc3be19f6fc1b9258cbda9c4ec58c 1960 dpkg_1.16.18.dsc
fac74a25615d60eab5d4a324c0edbbb2af3e603f6095ae5aae0ab2a99955e808 3806456 dpkg_1.16.18.tar.xz
9ab164b3284a51431581b32c043832be20b605a3084c9b94e689a50cf435febc 704976 libdpkg-dev_1.16.18_amd64.deb
35dd5caad36019537e2b00c464f3cad8ea23a949d257f86040cad1318782150c 2665244 dpkg_1.16.18_amd64.deb
d769faf0fafd1a5647ea58095462b22bfc86a0a05ddea84c27dcc100e4543aeb 1168138 dselect_1.16.18_amd64.deb
4145a912d0570ac7fa1a70ee2ad4a69c8f2120005ddf6149c058e94a295258fe 1365896 dpkg-dev_1.16.18_all.deb
09e2e988f21b317ab2fe6d7f4e82bb958a10e79aba58ce309ef2fb0bcb9b48b4 966166 libdpkg-perl_1.16.18_all.deb
Files:
93374b6e16a90b9e10c438057a3a7fc2 1960 admin required dpkg_1.16.18.dsc
7b97f930b6591f82f321d449d0e25639 3806456 admin required dpkg_1.16.18.tar.xz
91bf80b8b011211496c39a5829dfd982 704976 libdevel optional libdpkg-dev_1.16.18_amd64.deb
53c7eb729d33c4af8bbe647021205831 2665244 admin required dpkg_1.16.18_amd64.deb
f9849d1d38e150da1ae4744aec2e6134 1168138 admin optional dselect_1.16.18_amd64.deb
8047bccfda1b364785e25ac593e18608 1365896 utils optional dpkg-dev_1.16.18_all.deb
ee049cfc6f79e538a9face59172285e2 966166 perl optional libdpkg-perl_1.16.18_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXHojBAAoJELlyvz6krlejnesP/2M3oHLOJymaaeNFceIjfY5r
6cyv2dtZhfZqMrq12dAUWLoQUc59u2iBtOauG+qp04xRMpgz7MCzHz61fIueiqE7
1oETMuDMYUnUEOgC3IABmWGja2zBmLPbnR92n89RR96lkLD/mouuTczN7UbaUZzb
l1bGZcybJvE7PJgpt9fN9KEXM5kVyVJg6RhIZwPm+uF9wB/vaj6xuh15QGpjAvhV
X6R3vL8rOAImkyVlzOKiAPOaCaTdAN4B6s6+GHiyzndBU2Lm4Oeh2KO5cWXYiG3J
X3rf84EXSg6XN8qKqtKx6s3037vAyw/szoBNr9lhd/J5MJn7GkfX7w83jsiHxfRb
bjqru8NOfFrfFzGp2n/26T7I7CZtOPG68vmn9ZjttW6YPvEszRaZvd5d9PYDqyEz
qXAMOkcrfT+TLf8DMbWr0pQv2E6eRYfoDe/3FGIO1UIaElPMU2jUPa72wpOxMscs
J3MnKDHMLD+OunQG8CNws34rQpziC9KbME1WDRPoLgMSQatnssAOCwgbr8e0jHX4
iIWse3yIEh330vMBSHIZ7QjnGfFyaSrOpEbyc/Lp3dPWyRG2vMr+9KpW1WmyiNU+
OMSkBiQCFbgr57fXS0YH3ofIZ7LZw3ptombX1Gj9FICjl5bHCjhdrs9EJhwf+PdF
ZiMpJzmOKtdj8i6QjaCL
=shWt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 31 May 2016 07:28:05 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.