Bug#781858: apt: dangling pointer crash
Package: apt
Version: 1.0.9.7
Severity: serious
Dear Maintainer,
The apt source includes in apt-pkg/acquire-item.cc:
// FIXME: this points to a c++ string that goes out of scope
Mode = decompProg.c_str();
}
Mode is a char ptr
decompProg is a std::string
When decompProg goes out of scope it will be destroyed, and its internal buffer
that Mode points to will be freed. Any dereference of Mode will now return
arbitrary data which can cause seemingly random and hard-to-debug crashes.
python3-apt, for example, will read Mode and interpret it as UTF-8 (in
python/acquire-item.cc:acquireitem_get_mode). Since the
data is now essentially random, and not all byte sequences are valid UTF-8,
this will cause a crash to intermittently occur in any application
using python3-apt e.g. aptdaemon
https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1060081 (the
Ubuntu crash tracker http://errors.ubuntu.com gets about 200 crash
reports a day for that bug).
Reply to: