[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability

Package: dpkg
Version: 1.17.22-1
Tags: bug


Hi,

Using AddressSanitizer I have found an Out-of-Bounds(?) vulnerability in
dpkg.

The vulnerable code is in lib/dpkg/parse.c, on line 135.

133:  for (fip = fieldinfos, ip = fs->fieldencountered; fip->name;
fip++, ip++)
134:    if (strncasecmp(fip->name, fs->fieldstart, fs->fieldlen) == 0 &&
135:        fip->name[fs->fieldlen] == '\0')
136:      break;

I'm not familiar with AddressSanitizer's use of wording(It says
'global-buffer-overflow', but
https://code.google.com/p/address-sanitizer/wiki/ExampleGlobalOutOfBounds says
OutofBounds) when it comes to vulns, so I'll just paste the results:

> =================================================================
> ==12299==ERROR: AddressSanitizer: global-buffer-overflow on address
> 0x000000483a4d at pc 0x43cd9d bp 0x7fff3d4e42d0 sp 0x7fff3d4e42c8
> READ of size 1 at 0x000000483a4d thread T0
>     #0 0x43cd9c in pkg_parse_field ../../../lib/dpkg/parse.c:135
>     #1 0x43cd9c in parse_stanza ../../../lib/dpkg/parse.c:707
>     #2 0x43cd9c in parsedb_parse ../../../lib/dpkg/parse.c:781
>     #3 0x43def6 in parsedb ../../../lib/dpkg/parse.c:831
>     #4 0x407be9 in check_new_pkg ../../dpkg-deb/build.c:347
>     #5 0x407be9 in do_build ../../dpkg-deb/build.c:441
>     #6 0x4055e7 in main ../../dpkg-deb/main.c:272
>     #7 0x7fc088b2876c in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
>     #8 0x407454 (/root/dpkg/build-tree/dpkg-deb/dpkg-deb+0x407454)
>
> 0x000000483a4d is located 51 bytes to the left of global variable
> '*.LC72' from '../../../lib/dpkg/parse.c' (0x483a80) of size 13
>   '*.LC72' is ascii string 'Architecture'
> 0x000000483a4d is located 8 bytes to the right of global variable
> '*.LC71' from '../../../lib/dpkg/parse.c' (0x483a40) of size 5
>   '*.LC71' is ascii string 'Bugs'
> SUMMARY: AddressSanitizer: global-buffer-overflow
> ../../../lib/dpkg/parse.c:135 pkg_parse_field
> Shadow bytes around the buggy address:
>   0x0000800886f0: 00 00 01 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
>   0x000080088700: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
>   0x000080088710: 00 00 00 00 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
>   0x000080088720: 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
>   0x000080088730: 00 07 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
> =>0x000080088740: 00 03 f9 f9 f9 f9 f9 f9 05[f9]f9 f9 f9 f9 f9 f9
>   0x000080088750: 00 05 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9
>   0x000080088760: 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
>   0x000080088770: 00 07 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
>   0x000080088780: 00 01 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
>   0x000080088790: 00 04 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9


Here's a base64 of the control file(base64'd due to the \00's in it):
CkJ1Z3MAAW5lYmJ1Z3M6Ly9idWd7LmRlYmlhbi5vcmcKSG9tZXBhczovL3dpa2kuZGViAAAAIG9y
Zy9UZWFtcy9EcH9nClZjcy1Ccm93c2VyOiBodHT//zovL2Fub25zY20uZGViaWFuLm9yZy9jZ2lZ
L2Rwa2cvZHBrZy5naXQKVmNzLUdpdDogZ2l0Oi8vYW5vbnNjbS5kZWJpYW4uf0Jyb3dzZXIvZHBr
Zy5naXQaU3RhbmRhcmRzLVZlcnNpb246IOgDAAA2CkJ1aWxkLURkcGVuZHM6IGRlYmhlbHBlciAo
Pj0gNyksIHBrZy1j725maWcsIGZsZXgK







Thanks,
-- 
-- Joshua Rogers <https://internot.info/>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: