Bug#392663: apt: off-by-one errors in "extracttar.cc"
Package: apt
Version: 0.6.46.2
Severity: normal
Hello,
recently I discovered the following bits of code in
apt-inst/contrib/extracttar.cc:
// The on disk header for a tar file. struct ExtractTar::TarHeader
{
char Name[100];
char Mode[8];
...
char LinkName[100];
char MagicNumber[8];
...
};
bool ExtractTar::Go(pkgDirStream &Stream)
{
...
// Grab the filename if (LastLongName.empty() == false)
Itm.Name = (char *)LastLongName.c_str();
else
{
Tar->Name[sizeof(Tar->Name)] = 0;
Itm.Name = Tar->Name;
}
if (Itm.Name[0] == '.' && Itm.Name[1] == '/' && Itm.Name[2] != 0)
Itm.Name += 2;
// Grab the link target Tar->Name[sizeof(Tar->LinkName)] = 0;
Itm.LinkTarget = Tar->LinkName;
...
}
Both, the 'Tar->Name[sizeof(Tar->Name)]' and the
'Tar->Name[sizeof(Tar->LinkName)]' assignment write a zero-byte just
_after_ the end of the corresponding buffer, causing a buffer
overflow. Also the second of these assignments looks like it was ment
to terminate the string in the 'Tar->LinkName' buffer, but fails to do
so.
I did not check whether these bugs are exploitable in any form, but
probably they should be fixed anyway.
I hope this helps,
Jochen
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- /etc/apt/sources.list --
# unstable
deb http://ftp.nl.debian.org/debian/ unstable main contrib non-free
deb-src http://ftp.nl.debian.org/debian/ unstable main contrib non-free
deb http://snapshot.debian.net/archive/date/3-weeks-ago/debian unstable main
# xine und mplayer-Zeugs
deb http://www.debian-multimedia.org sid main
deb-src http://www.debian-multimedia.org sid main
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17.13
Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15)
Versions of packages apt depends on:
ii debian-archive-keyring 2006.01.18 GnuPG archive keys of the Debian a
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
ii libgcc1 1:4.1.1-16 GCC support library
ii libstdc++6 4.1.1-16 The GNU Standard C++ Library v3
apt recommends no packages.
-- no debconf information
Reply to: