Debian Bug report logs - #769119
dpkg: Control parser incorrectly matches on partial field names

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joshua Rogers <megamansec@gmail.com>

To: submit@bugs.debian.org

Subject: dpkg bug/vuln v2

Date: Tue, 11 Nov 2014 23:13:09 +1100

[Message part 1 (text/plain, inline)]

Package: dpkg
Version: 1.16.1.2
Tags: bug, security

This doesn't seem to be a vulnerability, but more of a bug..
Best that the devs look at it rather than me, though.

I'm using v1.16.1.2ubuntu7.5, but it is probably there in more recent
versions



With the control file:

> : 1
> a: %s

dpkg-deb --build will segfault.

It will not segfault if you put something before
> : 1
and will not segfault if
> a: %s
does not contain a "%" symbol.

Here's a gdb backtrace:

> Program received signal SIGSEGV, Segmentation fault.
> 0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>,
> format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
> 1630    vfprintf.c: No such file or directory.
> (gdb) bt
> #0  0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>,
> format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
> #1  0x00007ffff76fd3e0 in ___vsnprintf_chk (s=0x7fffffffd640 "parsing
> file 'lol/DEBIAN/control' near line 2 package '1:%s':\n 'must start
> with an alphanumeric' is not a valid architecture name: \367\377\177",
>     maxlen=<optimised out>, flags=1, slen=<optimised out>,
> format=0x649940 "parsing file 'lol/DEBIAN/control' near line 2 package
> '1:%s':\n '%s' is not a valid architecture name: %s", args=0x7fffffffda68)
>     at vsnprintf_chk.c:65
> #2  0x0000000000414b27 in vsnprintf (__ap=<optimised out>,
> __fmt=<optimised out>, __n=1024,
>     __s=0x7fffffffd640 "parsing file 'lol/DEBIAN/control' near line 2
> package '1:%s':\n 'must start with an alphanumeric' is not a valid
> architecture name: \367\377\177") at
> /usr/include/x86_64-linux-gnu/bits/stdio2.h:78
> #3  warningv (fmt=<optimised out>, args=<optimised out>) at ehandle.c:392
> #4  0x0000000000422199 in parse_warn (ps=<optimised out>,
> fmt=<optimised out>) at parsehelp.c:75
> #5  0x000000000041db26 in parse_stanza (ps=0x7fffffffddf0,
> fs=0x7fffffffde30, parse_field=0x41bbe0 <pkg_parse_field>,
> parse_obj=0x7fffffffde70) at parse.c:478
> #6  0x000000000041ebb6 in parsedb (filename=0x65e120
> "lol/DEBIAN/control", flags=<optimised out>, donep=0x7fffffffdfe0) at
> parse.c:547
> #7  0x0000000000404004 in check_new_pkg (dir=0x7fffffffe3c5 "lol") at
> build.c:335
> #8  do_build (argv=<optimised out>) at build.c:436
> #9  0x00000000004029e1 in main (argc=<optimised out>,
> argv=0x7fffffffe168) at main.c:206
> #10 0x00007ffff761576d in __libc_start_main (main=0x402860 <main>,
> argc=3, ubp_av=0x7fffffffe158, init=<optimised out>, fini=<optimised
> out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe148) at
> libc-start.c:226
> #11 0x0000000000402ac5 in _start ()

A quick guess is that because the
> : 1
part of the file does not have a 'name', it trys to call a NULL.
Somebody should check if I'm right, though.




Thanks,
-- 
-- Joshua Rogers <https://internot.info/>

[signature.asc (application/pgp-signature, attachment)]

Message #10 received at 769111@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Joshua Rogers <megamansec@gmail.com>, 769111@bugs.debian.org

Subject: Re: Bug#769111: dpkg bug/vuln v2

Date: Tue, 11 Nov 2014 14:41:30 +0100

Control: clone -1 -2
Control: retitle -1 dpkg: Control parser segfaults on empty field names
Control: fixed -1 1.17.2
Control: retitle -2 dpkg: Control parser incorrectly matches on partial field names
Control: tags -2

Hi!

On Tue, 2014-11-11 at 23:13:09 +1100, Joshua Rogers wrote:
> Package: dpkg
> Version: 1.16.1.2
> Tags: bug, security
> 
> This doesn't seem to be a vulnerability, but more of a bug..
> Best that the devs look at it rather than me, though.
> 
> I'm using v1.16.1.2ubuntu7.5, but it is probably there in more recent
> versions

Part of this got fixed in 1.17.2, but it's still there in the latest
release in the 1.16.x branch. I'll queue the fix for that one.

> With the control file:
> 
> > : 1
> > a: %s
> 
> dpkg-deb --build will segfault.
> 
> It will not segfault if you put something before
> > : 1
> and will not segfault if

This is the empty field issue. With a new enough dpkg it says this
instead:

  $ dpkg-deb -b pkg-bogus-field
  dpkg-deb: error: parsing file 'pkg-bogus-field/DEBIAN/control' near line 0:
   empty field name

> > a: %s
> does not contain a "%" symbol.

This is just the format string issue reported before, it affects only
the Package and Architecture fields. The problem here is that the
parser is matching partial strings against field names, so that's
wrong, and I'm fixing this separately.

Thanks,
Guillem

Message #23 received at 769119-submitter@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 769119-submitter@bugs.debian.org

Subject: Bug#769119 marked as pending

Date: Wed, 26 Nov 2014 20:14:56 +0000

tag 769119 pending
thanks

Hello,

Bug #769119 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=611305e

---
commit 611305ef0e85092cc24887e040c19e9e808dd633
Author: Guillem Jover <guillem@debian.org>
Date:   Tue Nov 11 17:37:04 2014 +0100

    libdpkg: Do not match partial field names in control files
    
    There is currently no instance of any misspelled field names known to
    dpkg in Debian. Only known field names are possibly affected.
    
    Regression introduced in commit 864e230e90de1cef94c81f10582e6d99717d593b.
    
    Closes: #769119

diff --git a/debian/changelog b/debian/changelog
index a1cad38..817ef06 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,8 @@ dpkg (1.17.22) UNRELEASED; urgency=low
     and they come from the package fields, which are under user control.
     Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
     Reported by Joshua Rogers <megamansec@gmail.com>.
+  * Do not match partial field names in control files. Closes: #769119
+    Regression introduced in dpkg 1.10.
 
   [ Updated programs translations ]
   * German (Sven Joachim).

Message #28 received at 769119-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 769119-close@bugs.debian.org

Subject: Bug#769119: fixed in dpkg 1.17.22

Date: Fri, 28 Nov 2014 03:19:16 +0000

Source: dpkg
Source-Version: 1.17.22

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 769119@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Nov 2014 02:02:34 +0100
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source all
Version: 1.17.22
Distribution: unstable
Urgency: low
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 752123 766724 766758 767573 767918 767934 768485 768599 768852 769119 769211 769843 770280 771237 771255 771256
Changes:
 dpkg (1.17.22) unstable; urgency=low
 .
   [ Guillem Jover ]
   * Add version introducing --ctrl-tarfile in dpkg-deb(1) man page.
   * Bump minimal version for dir_to_symlink and symlink_to_dir commands
     to 1.17.14 in dpkg-maintscript-helper(1) man page. Closes: #769843
   * Reintroduce update-alternatives, dpkg-divert and dpkg-statoverride
     compatibility symlinks under /usr/sbin/. There are still packages
     using those paths, but the relevant lintian check did not list any,
     so this got removed prematurely.
   * Add Breaks on old man-db, fontconfig and readahead-fedora packages using
     awaiting triggers, as they produce trigger cycles. Closes: #768599
   * Escape package and architecture names on control file parsing warning,
     as those get injected into a variable that is used as a format string,
     and they come from the package fields, which are under user control.
     Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
     Reported by Joshua Rogers <megamansec@gmail.com>.
   * Do not match partial field names in control files. Closes: #769119
     Regression introduced in dpkg 1.10.
   * Fix build on Mac OS X. Regression introduced in dpkg 1.17.11.
     Reported by Dominyk Tiller <dominyktiller@gmail.com>.
   * Normalize tar entry uid and gid from the current system only in dpkg
     unpack. Regression introduced in dpkg 1.17.14. Closes: #769211
   * Restore multiple processing instances check for packages and archives
     specified on the command-line. Regression introduced in dpkg 1.17.20.
   * Fail on trigger processing when it is required to progress. Trigger
     processing is sometimes required and sometimes opportunistic, and we
     should only fail on the former but ignore the latter. Closes: #768852
   * Do not ignore trigger cycles for direct dependencies, these are just
     normal trigger cycles, and as such should not be special cased.
   * Register all pending triggers for deferred processing when being called
     as «dpkg --configure pkgname…». This is a mostly conformant workaround
     for frontends like apt that do not correctly call «dpkg --configure -a»
     or «dpkg --triggers-only -a» after their normal runs, and leave packages
     in triggers-pending and triggers-awaited states. Closes: #766758
 .
   [ Updated programs translations ]
   * Catalan (Guillem Jover).
   * Danish (Joe Dalton).
   * French (Sébastien Poher).
   * German (Sven Joachim).
   * Japanese (Kenshi Muto). Closes: #771255
   * Polish (Łukasz Dulny).
   * Simplified Chinese (Zhou Mo). Closes: #766724, #770280
   * Swedish (Peter Krefting).
   * Turkish (Mert Dirik).
   * Vietnamese (Trần Ngọc Quân)
 .
   [ Updated scripts translations ]
   * French (Sébastien Poher).
   * German (Helge Kreutzmann).
   * Swedish (Peter Krefting).
 .
   [ Updated manpages translations ]
   * French (Sébastien Poher). Closes: #767934
   * German (Helge Kreutzmann). Closes: #752123
   * Simplified Chinese (Zhou Mo). Closes: #767573
   * Swedish (Peter Krefting).
 .
   [ Updated dselect translations ]
   * Danish (Joe Dalton).
   * Dutch (Frans Spiesschaert). Closes: #771237
   * French (Sébastien Poher). Closes: #767918
   * Japanese (Kenshi Muto). Closes: #771256
   * Swedish (Peter Krefting).
Checksums-Sha1:
 21507f78265a433132704b01601a5e8771809601 2057 dpkg_1.17.22.dsc
 3ebdd854b7864f699cf7d5b7ae815dfdf77f3c2c 4361648 dpkg_1.17.22.tar.xz
 da56f069f0f98fa80b201e94de7da8359ea53977 1514060 dpkg-dev_1.17.22_all.deb
 e9c1553165deda307d95f278877838b4b31d9b15 1042412 libdpkg-perl_1.17.22_all.deb
Checksums-Sha256:
 674b74e45f757f90fe0f22933bdeb5cea121febd46b9d56b9a3a028f4ac6e005 2057 dpkg_1.17.22.dsc
 389b2b2fdb6c8946a4cff737c6921e707074cfee249b3803202e3c8e1360c5f3 4361648 dpkg_1.17.22.tar.xz
 5296ab2e31bf4eea912cc56dc983bd4732fde3f2ddcd182e86c6d665019aa905 1514060 dpkg-dev_1.17.22_all.deb
 48fd415760df7b073eaa8cd397607028e4686fc444064f7fa04c5a5b302d9f8c 1042412 libdpkg-perl_1.17.22_all.deb
Files:
 0ec774870ab98d8eb7fd716e8297d71a 2057 admin required dpkg_1.17.22.dsc
 c9c46c5318c98c9162fbd03d24f2f95b 4361648 admin required dpkg_1.17.22.tar.xz
 b52c79006cb483141d26395f189efd74 1514060 utils optional dpkg-dev_1.17.22_all.deb
 150b889a638b89f4f0b363efc149de44 1042412 perl optional libdpkg-perl_1.17.22_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUd9I7AAoJELlyvz6krlejI/YQALNwJpc4YJUkwNQh6dPX56fy
627GJtUrM9aDLkvgdmuraHvk5TSBTIZbinG9OJTe1gZhMAqG9rqlQu/GHLHuLMU+
0JjlswBQF2lc9qg8WUz83x/FMpRZpRbDW2LprckDsqrTmF69FxmO1pmr/WNT1D16
yLl0e8/OTOOIf7yeLjqrEY53bWzTQ76xcVYp7T5BBDJYtY+2YtAQm2rQb0s+J8CO
2uoPp+9yuJTHUXBajAVUC0GChAnuvcwqV51L5uE8sG1VeNBtJ1feIcZKQlbuxe4c
iSm+vB/SueVFNOXq1oBDLf1d8lYsAS/TchvvJgHteljC5pUcsexjE8im68hswT9x
Ooqq9Reb3Fpf5q285ZrKTxH3XVp/l/nDl/QGqYX/VoPv26TwQriM9P1MtyUILQnx
zblQPYRWNL/K+VBFFPjfx4DIb1muqPdwtM47gvtCX1kFG1LRJNUEKwL2AvWWeXuj
r7p8t6nzohCXVdvbP/BZsHMiS6kmp5IgrWojkNl821dHeYTNKhrwDMpKd4nvk5g8
97dVrIJo8TW1Gfv+vi/JxnCvUOEXrOaUaMBHUXN4C92GZ3Ckk4FhdtFz+1ry0ncj
UnzT953jfTWE6ekrV/mMBo2S/rCc8gXM7c7JuUjIBtjFNrA/uQMq1BUKQ0MngFOR
NxkIJ4b0SsV2kLtlyZOf
=iF5C
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.