Re: dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability
Hi!
On Sat, 2014-11-29 at 00:43:06 +1100, Joshua Rogers wrote:
> Package: dpkg
> Version: 1.17.22-1
> Tags: bug
The correct address so submit bug reports is submit@bugs.debian.org.
> Using AddressSanitizer I have found an Out-of-Bounds(?) vulnerability in
> dpkg.
>
> The vulnerable code is in lib/dpkg/parse.c, on line 135.
>
> 133: for (fip = fieldinfos, ip = fs->fieldencountered; fip->name;
> fip++, ip++)
> 134: if (strncasecmp(fip->name, fs->fieldstart, fs->fieldlen) == 0 &&
> 135: fip->name[fs->fieldlen] == '\0')
> 136: break;
Hmm, yeah assuming the fs->fieldstart is a superset of fip->name, then
there might be an out of bounds *read* access, but I don't see how that
would be a vulnerability. I'll fix this for 1.17.23.
Thanks,
Guillem
Reply to: