[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability

On Fri, 2014-11-28 at 15:14:58 +0100, Guillem Jover wrote:
> On Sat, 2014-11-29 at 00:43:06 +1100, Joshua Rogers wrote:
> > Package: dpkg
> > Version: 1.17.22-1
> > Tags: bug
> 
> The correct address so submit bug reports is submit@bugs.debian.org.

Just to clarify this, bug reports on the list are also welcome, but
given the pseudo-header there I guess this one was just misdirected.

> > Using AddressSanitizer I have found an Out-of-Bounds(?) vulnerability in
> > dpkg.
> > 
> > The vulnerable code is in lib/dpkg/parse.c, on line 135.
> > 
> > 133:  for (fip = fieldinfos, ip = fs->fieldencountered; fip->name;
> > fip++, ip++)
> > 134:    if (strncasecmp(fip->name, fs->fieldstart, fs->fieldlen) == 0 &&
> > 135:        fip->name[fs->fieldlen] == '\0')
> > 136:      break;
> 
> Hmm, yeah assuming the fs->fieldstart is a superset of fip->name, then
> there might be an out of bounds *read* access, but I don't see how that
> would be a vulnerability. I'll fix this for 1.17.23.

This and all other such instances in the code base.

Thanks,
Guillem
Reply to: