Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)
Package: apt
Version: 1.0.9.2
Severity: normal
Dear Maintainer,
In examining the sources in method/rsh.cc I ran across the function
RSHConn::WriteMsg(....)
The first thing it does is make a buffer of 512 bytes, put up to 508
bytes of data in it (the vsnprintf call), and then add at least 14
more bytes of data (the strcat calls).
I originally saw this in:
Version: 0.9.7.9+deb7u5
I have not created a test for this. I suspect all it takes is a long
path in the configured URI.
The simplest fix is probably to change the "- 4" on the vsnprintf()
to "- 24" or thereabouts. A more complex fix (probably not needed)
might send the two strings separately. It also might be wise to
consider if the buffer should be enlarged.
I have not fully examined other sources for similar code, but do see
where this came from in method/ftp.cc.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii debian-archive-keyring 2014.1
ii gnupg 1.4.18-4
ii libapt-pkg4.12 1.0.9.2
ii libc6 2.19-11
ii libgcc1 1:4.9.1-16
ii libstdc++6 4.9.1-16
apt recommends no packages.
Versions of packages apt suggests:
ii apt-doc 1.0.9.2
ii aptitude 0.6.11-1
ii dpkg-dev 1.17.16
ii python-apt 0.9.3.10
ii synaptic 0.81.2
Reply to: