[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability

Hi!

On Sat, 2014-11-29 at 00:43:06 +1100, Joshua Rogers wrote:
> Package: dpkg
> Version: 1.17.22-1
> Tags: bug

The correct address so submit bug reports is submit@bugs.debian.org.

> Using AddressSanitizer I have found an Out-of-Bounds(?) vulnerability in
> dpkg.
> 
> The vulnerable code is in lib/dpkg/parse.c, on line 135.
> 
> 133:  for (fip = fieldinfos, ip = fs->fieldencountered; fip->name;
> fip++, ip++)
> 134:    if (strncasecmp(fip->name, fs->fieldstart, fs->fieldlen) == 0 &&
> 135:        fip->name[fs->fieldlen] == '\0')
> 136:      break;

Hmm, yeah assuming the fs->fieldstart is a superset of fip->name, then
there might be an out of bounds *read* access, but I don't see how that
would be a vulnerability. I'll fix this for 1.17.23.

Thanks,
Guillem
Reply to: