[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#233678: marked as done (apt: Buffer length not checked: SysList[GlobalListLen])

Your message dated Thu, 26 Feb 2004 20:47:05 -0500
with message-id <E1AwX5l-00071P-00@newraff.debian.org>
and subject line Bug#233678: fixed in apt 0.5.23
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 19 Feb 2004 12:05:48 +0000
>From gpk@gpk.wftp.org Thu Feb 19 04:05:48 2004
Return-path: <gpk@gpk.wftp.org>
Received: from mta04-svc.ntlworld.com [] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Atmw7-0001Td-00; Thu, 19 Feb 2004 04:05:47 -0800
Received: from localhost ([]) by mta04-svc.ntlworld.com
          (InterMail vM. 201-229-121-137-20020806) with ESMTP
          id <20040219120454.HVGD559.mta04-svc.ntlworld.com@localhost>
          for <submit@bugs.debian.org>; Thu, 19 Feb 2004 12:04:54 +0000
Received: from gpk by localhost with local (Exim 3.35 #1 (Debian))
	id 1AtmvE-0003g3-00; Thu, 19 Feb 2004 12:04:52 +0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Greg Kochanski <gpk@kochanski.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt: Buffer length not checked: SysList[GlobalListLen]
X-Mailer: reportbug 2.39
Date: Thu, 19 Feb 2004 12:04:52 +0000
Message-Id: <[🔎] E1AtmvE-0003g3-00@localhost>
Sender: Greg Kochanski <gpk@gpk.wftp.org>
X-Spam-Prob: -35.01743
X-Spam-Rating: 3
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_18 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no 

Package: apt
Version: 0.5.21
Severity: normal

On line 31 of .../apt-pkg/pkgsystem.cc, the constructor
uses SysList[GlobalListLen] and increments
on the next line, without checking to see if GlobalListLen
is too big for the buffer ( SysList[10], defined a few lines above).

I don't think this is a security problem, but it ought to be
cleaned up.

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";

-- (no /etc/apt/preferences present) --

-- /etc/apt/sources.list --

deb ftp://ftp.uk.debian.org/debian/ testing main non-free contrib
deb-src ftp://ftp.uk.debian.org/debian/ testing main non-free contrib
# deb http://mirror.ox.ac.uk/debian testing main contrib non-free
# deb-src http://mirror.ox.ac.uk/debian testing main contrib non-free
deb http://mirror.ox.ac.uk/debian-non-US testing/non-US main contrib non-free
deb-src http://mirror.ox.ac.uk/debian-non-US testing/non-US main contrib non-free
# deb http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free
# deb-src http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free

# deb http://mirrors.kernel.org/debian/ testing main non-free contrib
# deb-src http://mirrors.kernel.org/debian/ testing main non-free contrib

deb http://security.debian.org/ testing/updates main contrib non-free

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux gpk 2.4.23 #2 Sun Dec 7 11:46:58 GMT 2003 i686

Versions of packages apt depends on:
ii  libc6                      2.3.2.ds1-11  GNU C Library: Shared libraries an
ii  libgcc1                    1:3.3.3-0pre3 GCC support library
ii  libstdc++5                 1:3.3.3-0pre3 The GNU Standard C++ Library v3

-- no debconf information

Received: (at 233678-close) by bugs.debian.org; 27 Feb 2004 01:53:12 +0000
>From katie@ftp-master.debian.org Thu Feb 26 17:53:12 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1AwXBg-0002w3-00; Thu, 26 Feb 2004 17:53:12 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1AwX5l-00071P-00; Thu, 26 Feb 2004 20:47:05 -0500
From: Matt Zimmerman <mdz@debian.org>
To: 233678-close@bugs.debian.org
X-Katie: $Revision: 1.43 $
Subject: Bug#233678: fixed in apt 0.5.23
Message-Id: <E1AwX5l-00071P-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 26 Feb 2004 20:47:05 -0500
Delivered-To: 233678-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_22 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=HAS_BUG_NUMBER autolearn=no 

Source: apt
Source-Version: 0.5.23

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

  to pool/main/a/apt/apt-doc_0.5.23_all.deb
  to pool/main/a/apt/apt-utils_0.5.23_i386.deb
  to pool/main/a/apt/apt_0.5.23.dsc
  to pool/main/a/apt/apt_0.5.23.tar.gz
  to pool/main/a/apt/apt_0.5.23_i386.deb
  to pool/main/a/apt/libapt-pkg-dev_0.5.23_i386.deb
  to pool/main/a/apt/libapt-pkg-doc_0.5.23_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 233678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Matt Zimmerman <mdz@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Thu, 26 Feb 2004 17:08:14 -0800
Source: apt
Binary: apt-utils libapt-pkg-doc libapt-pkg-dev apt-doc apt
Architecture: source all i386
Version: 0.5.23
Distribution: unstable
Urgency: low
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Matt Zimmerman <mdz@debian.org>
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 214842 233669 233678 233681 234186 234494 234737 234886
 apt (0.5.23) unstable; urgency=low
   * Cosmetic updates to XML man pages from Richard Bos <radoeka@xs4all.nl>
   * Use the 'binary' target rather than 'all' so that the ssh and bzip2
     symlinks are created correctly (thanks to Adam Heath)
     (Closes: #214842)
   * Updated Simplified Chinese translation of message catalog from Tchaikov
     <chaisave@263.net> (Closes: #234186)
   * Change default for Acquire::http::max-age to 0 to prevent index files
     being out of sync with each other (important with Release.gpg)
   * Add an assert() to make sure that we don't overflow a fixed-size
     buffer in the very unlikely event that someone adds 10 packaging
     systems to apt (Closes: #233678)
   * Fix whitespace in French translation of "Yes, do as I say!", which
     made it tricky to type, again.  Thanks to Sylvain Pasche
     <sylvain.pasche@switzerland.org> (Closes: #234494)
   * Print a slightly clearer error message if no packaging systems are
     available (Closes: #233681)
   * Point to Build-Depends in COMPILING (Closes: #233669)
   * Make debian/rules a bit more consistent in a few places.
     Specifically, always use -p$@ rather than an explicit package name,
     and always specify it first, and use dh_shlibdeps -l uniformly rather
     than sometimes changing LD_LIBRARY_PATH directly
   * Document unit for Cache-Limit (bytes) (Closes: #234737)
   * Don't translate "Yes, do as I say!" in Chinese locales, because it can
     be difficult to input (Closes: #234886)
 2f36173cb2674c4eb107c9eace562fcc 756 admin important apt_0.5.23.dsc
 6607083bdb8e6e7934f443c7afef04bb 1123773 admin important apt_0.5.23.tar.gz
 0403121b5fdb3a638f0ae21f126f2534 67138 doc optional apt-doc_0.5.23_all.deb
 51645038a5790fb0bb6f58d03f4d7df2 98652 doc optional libapt-pkg-doc_0.5.23_all.deb
 8531e43a2ae4b33bbc3371cdc52a89a9 914216 base important apt_0.5.23_i386.deb
 87fe7ceafed27af0b067f6bca17c8bad 65954 libdevel optional libapt-pkg-dev_0.5.23_i386.deb
 c433038e7052397b45d8ff2c97dd8f8c 180364 admin optional apt-utils_0.5.23_i386.deb

Version: GnuPG v1.2.4 (GNU/Linux)


Reply to: