Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)

To: David Garfield <divad27182@gmx.com>, 764442@bugs.debian.org
Subject: Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)
From: Michael Vogt <mvo@debian.org>
Date: Wed, 8 Oct 2014 11:39:34 +0200
Message-id: <[🔎] 20141008093934.GD8178@bod>
Reply-to: Michael Vogt <mvo@debian.org>, 764442@bugs.debian.org
In-reply-to: <[🔎] 5434DE84.30504@gmx.com>
References: <[🔎] 5434DE84.30504@gmx.com>

On Wed, Oct 08, 2014 at 02:49:40AM -0400, David Garfield wrote:
> Package: apt
> Version: 1.0.9.2
> Severity: normal

Thanks for your bugreport. 
 
> In examining the sources in method/rsh.cc I ran across the function
> RSHConn::WriteMsg(....)
> 
> The first thing it does is make a buffer of 512 bytes, put up to 508
> bytes of data in it (the vsnprintf call), and then add at least 14
> more bytes of data (the strcat calls).

Good catch, thanks you!
 
[..]
> The simplest fix is probably to change the "- 4" on the vsnprintf()
> to "- 24" or thereabouts.  A more complex fix (probably not needed)
> might send the two strings separately.  It also might be wise to
> consider if the buffer should be enlarged.
> 
> I have not fully examined other sources for similar code, but do see
> where this came from in method/ftp.cc.
[..]

I fixed this in git and replaced the strcat with a C++ std::string so
that we do not run into the fixed buffer issue. I also enlarged the
buffer while doing so. 

Cheers,
 Michael

Reply to:

References:
- Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)
  - From: David Garfield <divad27182@gmx.com>

Prev by Date: Bug#763780: apt-get: Insecure temporary changelog handling
Next by Date: apt_1.1~exp4_amd64.changes is NEW
Previous by thread: Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)
Next by thread: Processing of apt_1.1~exp4_amd64.changes
Index(es):
- Date
- Thread