Hi, On Fri, Nov 21, 2014 at 07:53:49PM +1100, Joshua Rogers wrote: > In apt-inst/extract.cc, this code appears: > > > if (Res.length() > sizeof(FileName)) > > return _error->Error(_("The path %s is too long"),Res.c_str()); > > if (Debug == true) > > clog << "Followed conf file from " << FileName << " to " << > > Res << endl; > > Itm.Name = strcpy(FileName,Res.c_str()); > > "if (Res.length() > sizeof(FileName))" should either be "if > (Res.length() >= sizeof(FileName))", or "if (Res.length() > > sizeof(FileName - 1))". Thanks, the code is indeed very fishy! Thankfully nobody is actually using it as its origin is a years old (= predating any active apt maintainer) attempt at replacing dpkg, which obviously failed as dpkg still exists and apt-inst exists for only two reasons still: apt-extracttemplates (which is planed to be done by dpkg instead for quiet a while now) and apt-ftparchive which uses it to inspect deb files, but not to actually extract them on the filesystem. This code is therefore completely unused. So, the proper fix is here to just get right of apt-inst already (merge the few useful bits into apt-pkg) and be happy. I will make a note to get that done for stretch. I therefore think that we don't need to get busy fixing this in (old)stable/jessie as it hasn't any practical effect… but the report is still very useful in reminding me to get that stuff removed, so thanks a lot! :) Best regards David Kalnischkies
Attachment:
signature.asc
Description: Digital signature