Re: dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability

To: debian-dpkg@lists.debian.org
Subject: Re: dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability
From: Joshua Rogers <megamansec@gmail.com>
Date: Sat, 29 Nov 2014 10:12:08 +1100
Message-id: <[🔎] 54790148.2020102@gmail.com>
In-reply-to: <[🔎] 20141128141458.GA1435@gaara.hadrons.org>
References: <[🔎] 54787BEA.8030305@gmail.com> <[🔎] 20141128141458.GA1435@gaara.hadrons.org>

On 29/11/14 01:14, Guillem Jover wrote:

Hmm, yeah assuming the fs->fieldstart is a superset of fip->name, then
there might be an out of bounds *read* access, but I don't see how that
would be a vulnerability. I'll fix this for 1.17.23.

I think it's just a 'by definition' vulnerability, e.g like heartbleed was an out of bounds read, sort of. But in this context, it's not serious at all.

Thanks,

--
-- Joshua Rogers <https://internot.info/>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability
  - From: Joshua Rogers <megamansec@gmail.com>
- Re: dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: problema creando repositorios
Previous by thread: Re: dpkg-deb "OutofBounds"/"global-buffer-overflow" vulnerability
Next by thread: problema creando repositorios
Index(es):
- Date
- Thread