Your message dated Sun, 23 Nov 2008 12:09:26 +0200 with message-id <49292BD6.3060107@gmail.com> and subject line closing #392663 has caused the Debian Bug report #392663, regarding apt: off-by-one errors in "extracttar.cc" to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 392663: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392663 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: off-by-one errors in "extracttar.cc"
- From: Jochen Voss <voss@debian.org>
- Date: Thu, 12 Oct 2006 20:22:58 +0100
- Message-id: <20061012192258.11482.47628.reportbug@burmah.maths.warwick.ac.uk>
Package: apt Version: 0.6.46.2 Severity: normal Hello, recently I discovered the following bits of code in apt-inst/contrib/extracttar.cc: // The on disk header for a tar file. struct ExtractTar::TarHeader { char Name[100]; char Mode[8]; ... char LinkName[100]; char MagicNumber[8]; ... }; bool ExtractTar::Go(pkgDirStream &Stream) { ... // Grab the filename if (LastLongName.empty() == false) Itm.Name = (char *)LastLongName.c_str(); else { Tar->Name[sizeof(Tar->Name)] = 0; Itm.Name = Tar->Name; } if (Itm.Name[0] == '.' && Itm.Name[1] == '/' && Itm.Name[2] != 0) Itm.Name += 2; // Grab the link target Tar->Name[sizeof(Tar->LinkName)] = 0; Itm.LinkTarget = Tar->LinkName; ... } Both, the 'Tar->Name[sizeof(Tar->Name)]' and the 'Tar->Name[sizeof(Tar->LinkName)]' assignment write a zero-byte just _after_ the end of the corresponding buffer, causing a buffer overflow. Also the second of these assignments looks like it was ment to terminate the string in the 'Tar->LinkName' buffer, but fails to do so. I did not check whether these bugs are exploitable in any form, but probably they should be fixed anyway. I hope this helps, Jochen -- Package-specific info: -- (no /etc/apt/preferences present) -- -- /etc/apt/sources.list -- # unstable deb http://ftp.nl.debian.org/debian/ unstable main contrib non-free deb-src http://ftp.nl.debian.org/debian/ unstable main contrib non-free deb http://snapshot.debian.net/archive/date/3-weeks-ago/debian unstable main # xine und mplayer-Zeugs deb http://www.debian-multimedia.org sid main deb-src http://www.debian-multimedia.org sid main -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17.13 Locale: LANG=en_GB.iso885915, LC_CTYPE=en_GB.iso885915 (charmap=ISO-8859-15) Versions of packages apt depends on: ii debian-archive-keyring 2006.01.18 GnuPG archive keys of the Debian a ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries ii libgcc1 1:4.1.1-16 GCC support library ii libstdc++6 4.1.1-16 The GNU Standard C++ Library v3 apt recommends no packages. -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 392663-done@bugs.debian.org
- Subject: closing #392663
- From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
- Date: Sun, 23 Nov 2008 12:09:26 +0200
- Message-id: <49292BD6.3060107@gmail.com>
Version: 0.7.18 Fixed at least in apt 0.7.18. -- Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com Ukrainian C++ developer, Debian APT contributorAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---