[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#364513: apt: Buffer overflow in pkgDPkgPM::Go.

Package: apt
Severity: normal
Tags: patch


The method pkgDPkgPM::Go in apt-pkg/deb/dpkgpm.cc contains the following

  char* list[4];
  TokSplitString(':', line, list, 5);

Since the last argument to TokSplitString is the number of elements in
the list, the code can cause a buffer overflow. I suggest the attached

The bug has caused aptitude to segfault on my system under some rare
circumstances which I cannot quite pin down, unfortunately. I don't know
a reliable way to reproduce the segfault, but hope to convince you that
the current code is incorrect anyway. ;-)


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-1-amd64-k8
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages apt depends on:
ii  libc6                         2.3.6-7    GNU C Library: Shared libraries
ii  libgcc1                       1:4.1.0-1  GCC support library
ii  libstdc++6                    4.1.0-1    The GNU Standard C++ Library v3

Versions of packages apt recommends:
ii  debian-archive-keyring        2006.01.18 GnuPG archive keys of the Debian a

-- no debconf information
--- apt-pkg/deb/dpkgpm.cc~	2005-10-19 21:19:08.000000000 +0200
+++ apt-pkg/deb/dpkgpm.cc	2006-04-24 00:09:46.000000000 +0200
@@ -623,8 +623,8 @@
 	    'status: conffile-prompt: conffile : 'current-conffile' 'new-conffile' useredited distedited
-	 char* list[4];
-	 TokSplitString(':', line, list, 5);
+	 char* list[5];
+	 TokSplitString(':', line, list, sizeof(list)/sizeof(list[0]));
 	 char *pkg = list[1];
 	 char *action = _strstrip(list[2]);

Reply to: