Bug#882175: marked as done (busybox: out-of-bounds read in get_header_ar())

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 12 Jan 2022 12:06:22 +0100
with message-id <3581500.OEUHVdaxbK@bagend>
and subject line Re: busybox: out-of-bounds read in get_header_ar()
has caused the Debian Bug report #882175,
regarding busybox: out-of-bounds read in get_header_ar()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
882175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882175
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: busybox: out-of-bounds read in get_header_ar()
• From: Jakub Wilk <jwilk@jwilk.net>
• Date: Sun, 19 Nov 2017 22:30:27 +0100
• Message-id: <20171119213027.d6mw5ykhlwlkfvx4@jwilk.net>

Package: busybox
Version: 1:1.27.2-1

Apparently an out-of-bounds read can happen when unpacking ar archives:

  $ valgrind -q -- busybox ar p oob.ar > /dev/null
  ==2180== Invalid read of size 1
  ==2180==    at 0x4831403: __GI_strlen (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==2180==    by 0x48B9F5A: strdup (strdup.c:41)
  ==2180==    by 0x1108BC: xstrdup (xfuncs_printf.c:81)
  ==2180==    by 0x15C560: get_header_ar (get_header_ar.c:116)
  ==2180==    by 0x15C26F: unpack_ar_archive (unpack_ar_archive.c:20)
  ==2180==    by 0x14D956: ar_main (ar.c:291)
  ==2180==    by 0x10F788: run_applet_no_and_exit (appletlib.c:916)
  ==2180==    by 0x10FA50: run_applet_and_exit (appletlib.c:934)
  ==2180==    by 0x10FA38: busybox_main (appletlib.c:875)
  ==2180==    by 0x10FA38: run_applet_and_exit (appletlib.c:927)
  ==2180==    by 0x10FADC: main (appletlib.c:1032)
  ==2180==  Address 0x4a0715c is 0 bytes after a block of size 4 alloc'd
  ==2180==    at 0x482E2BC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
  ==2180==    by 0x110847: xmalloc (xfuncs_printf.c:47)
  ==2180==    by 0x15C4A0: get_header_ar (get_header_ar.c:86)
  ==2180==    by 0x15C26F: unpack_ar_archive (unpack_ar_archive.c:20)
  ==2180==    by 0x14D956: ar_main (ar.c:291)
  ==2180==    by 0x10F788: run_applet_no_and_exit (appletlib.c:916)
  ==2180==    by 0x10FA50: run_applet_and_exit (appletlib.c:934)
  ==2180==    by 0x10FA38: busybox_main (appletlib.c:875)
  ==2180==    by 0x10FA38: run_applet_and_exit (appletlib.c:927)
  ==2180==    by 0x10FADC: main (appletlib.c:1032)
  ...

Found using American Fuzzy Lop:
http://lcamtuf.coredump.cx/afl/


-- System Information:
Architecture: i386

Versions of packages busybox depends on:
ii  libc6  2.25-1

--
Jakub Wilk

Attachment: oob.ar
Description: Binary data

--- End Message ---

--- Begin Message ---

• To: 882175-done@bugs.debian.org
• Subject: Re: busybox: out-of-bounds read in get_header_ar()
• From: Diederik de Haas <didi.debian@cknow.org>
• Date: Wed, 12 Jan 2022 12:06:22 +0100
• Message-id: <3581500.OEUHVdaxbK@bagend>
• In-reply-to: <20171119213027.d6mw5ykhlwlkfvx4@jwilk.net>

Version: 1:1.30.1-1

This was fixed in upstream commit 0a90960f446ebaf062244afbc626546b14689e0a and 
part of the upstream 1.29.0 release. The first version uploaded to Debian with 
that fix was 1:1.30.1-1, so close it with that version.

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---