Re: dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability
On Fri, 2014-11-28 at 15:14:58 +0100, Guillem Jover wrote:
> On Sat, 2014-11-29 at 00:43:06 +1100, Joshua Rogers wrote:
> > Package: dpkg
> > Version: 1.17.22-1
> > Tags: bug
> The correct address so submit bug reports is email@example.com.
Just to clarify this, bug reports on the list are also welcome, but
given the pseudo-header there I guess this one was just misdirected.
> > Using AddressSanitizer I have found an Out-of-Bounds(?) vulnerability in
> > dpkg.
> > The vulnerable code is in lib/dpkg/parse.c, on line 135.
> > 133: for (fip = fieldinfos, ip = fs->fieldencountered; fip->name;
> > fip++, ip++)
> > 134: if (strncasecmp(fip->name, fs->fieldstart, fs->fieldlen) == 0 &&
> > 135: fip->name[fs->fieldlen] == '\0')
> > 136: break;
> Hmm, yeah assuming the fs->fieldstart is a superset of fip->name, then
> there might be an out of bounds *read* access, but I don't see how that
> would be a vulnerability. I'll fix this for 1.17.23.
This and all other such instances in the code base.