Bug#392663: apt: off-by-one errors in "extracttar.cc"

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#392663: apt: off-by-one errors in "extracttar.cc"
From: Jochen Voss <voss@debian.org>
Date: Thu, 12 Oct 2006 20:22:58 +0100
Message-id: <[🔎] 20061012192258.11482.47628.reportbug@burmah.maths.warwick.ac.uk>
Reply-to: Jochen Voss <voss@debian.org>, 392663@bugs.debian.org

Package: apt
Version: 0.6.46.2
Severity: normal

Hello,

recently I discovered the following bits of code in
apt-inst/contrib/extracttar.cc:

// The on disk header for a tar file.                                                               struct ExtractTar::TarHeader
{
   char Name[100];
   char Mode[8];
   ...
   char LinkName[100];
   char MagicNumber[8];
   ...
};

bool ExtractTar::Go(pkgDirStream &Stream)
{
    ...

      // Grab the filename                                                                                if (LastLongName.empty() == false)
         Itm.Name = (char *)LastLongName.c_str();
      else
      {
         Tar->Name[sizeof(Tar->Name)] = 0;
         Itm.Name = Tar->Name;
      }
      if (Itm.Name[0] == '.' && Itm.Name[1] == '/' && Itm.Name[2] != 0)
         Itm.Name += 2;

      // Grab the link target                                                                             Tar->Name[sizeof(Tar->LinkName)] = 0;
      Itm.LinkTarget = Tar->LinkName;

    ...
}

Both, the 'Tar->Name[sizeof(Tar->Name)]' and the
'Tar->Name[sizeof(Tar->LinkName)]' assignment write a zero-byte just
_after_ the end of the corresponding buffer, causing a buffer
overflow.  Also the second of these assignments looks like it was ment
to terminate the string in the 'Tar->LinkName' buffer, but fails to do
so.

I did not check whether these bugs are exploitable in any form, but
probably they should be fixed anyway.

I hope this helps,
Jochen

-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- /etc/apt/sources.list --

# unstable
deb http://ftp.nl.debian.org/debian/ unstable main contrib non-free
deb-src http://ftp.nl.debian.org/debian/ unstable main contrib non-free

deb http://snapshot.debian.net/archive/date/3-weeks-ago/debian unstable main

# xine und mplayer-Zeugs
deb http://www.debian-multimedia.org sid main
deb-src http://www.debian-multimedia.org sid main

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)

Versions of packages apt depends on:
ii  debian-archive-keyring       2006.01.18  GnuPG archive keys of the Debian a
ii  libc6                        2.3.6.ds1-6 GNU C Library: Shared libraries
ii  libgcc1                      1:4.1.1-16  GCC support library
ii  libstdc++6                   4.1.1-16    The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information

Reply to:

Prev by Date: Bug#392466: [INTL:bg] Updated Bulgarian translation of apt
Next by Date: Bug#392466: [INTL:ko] Korean apt debconf translation
Previous by thread: Bug#392466: [INTL:bg] Updated Bulgarian translation of apt
Next by thread: Bug#392466: [INTL:ko] Korean apt debconf translation
Index(es):
- Date
- Thread