[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#828812: marked as done (apt: buffer overrun in ListParser::VersionHash())



Your message dated Thu, 07 Jul 2016 18:52:38 +0000
with message-id <E1bLEPe-0006n4-TM@franck.debian.org>
and subject line Bug#828812: fixed in apt 1.3~pre1
has caused the Debian Bug report #828812,
regarding apt: buffer overrun in ListParser::VersionHash()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
828812: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828812
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: 1.0.9.8.3
Severity: important

Dear Maintainer,

I encountered a stack-smash error in apt-get caused by the contents of
the "Depends" header of one of my packages. While the crash occurred on
Ubuntu 14.04, the problem is still present in the apt sources as cloned
from git this evening.

In ListParser::VersionHash(), if a header (Depends, Pre-Depends, etc.)
value is less than 1024 bytes (sizeof(S)) in length, it is copied into
S. As each character is processed, ASCII space characters are skipped,
upper case characters are converted to lower case, and "<" & ">"
characters are converted to "<=" and ">=".

The latter conversion may result in a buffer overrun, especially if the
header value is close to 1024 bytes in length, as it increases the over-
all length of the data being copied.

I can see several ways that this problem might be addressed, including
truncating the copy at 1024 bytes, using a dynamic buffer (std::vector
or std::string), etc.

I have not submitted a patch, as I don't feel I have the context to make
the best implementation choice. That being said, I'm willing to follow
up with a patch given such guidance.

    --jtc

-- Package-specific info:
-- apt-config dump --

APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Authentication "";
APT::Authentication::TrustCDROM "true";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-headers-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-image-extra-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-signed-image-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-image-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-headers-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^gnumach-image-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^.*-modules-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^.*-kernel-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-backports-modules-.*-3\.16\.0-4-amd64$";
APT::NeverAutoRemove:: "^linux-tools-3\.16\.0-4-amd64$";
APT::VersionedKernelPackages "";
APT::VersionedKernelPackages:: "linux-image";
APT::VersionedKernelPackages:: "linux-headers";
APT::VersionedKernelPackages:: "linux-image-extra";
APT::VersionedKernelPackages:: "linux-signed-image";
APT::VersionedKernelPackages:: "kfreebsd-image";
APT::VersionedKernelPackages:: "kfreebsd-headers";
APT::VersionedKernelPackages:: "gnumach-image";
APT::VersionedKernelPackages:: ".*-modules";
APT::VersionedKernelPackages:: ".*-kernel";
APT::VersionedKernelPackages:: "linux-backports-modules-.*";
APT::VersionedKernelPackages:: "linux-tools";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "restricted/metapackages";
APT::Never-MarkAuto-Sections:: "universe/metapackages";
APT::Never-MarkAuto-Sections:: "multiverse/metapackages";
APT::Never-MarkAuto-Sections:: "oldlibs";
APT::Never-MarkAuto-Sections:: "restricted/oldlibs";
APT::Never-MarkAuto-Sections:: "universe/oldlibs";
APT::Never-MarkAuto-Sections:: "multiverse/oldlibs";
APT::Architectures "";
APT::Architectures:: "amd64";
APT::Compressor "";
APT::Compressor::. "";
APT::Compressor::.::Name ".";
APT::Compressor::.::Extension "";
APT::Compressor::.::Binary "";
APT::Compressor::.::Cost "1";
APT::Compressor::gzip "";
APT::Compressor::gzip::Name "gzip";
APT::Compressor::gzip::Extension ".gz";
APT::Compressor::gzip::Binary "gzip";
APT::Compressor::gzip::Cost "2";
APT::Compressor::gzip::CompressArg "";
APT::Compressor::gzip::CompressArg:: "-9n";
APT::Compressor::gzip::UncompressArg "";
APT::Compressor::gzip::UncompressArg:: "-d";
APT::Compressor::bzip2 "";
APT::Compressor::bzip2::Name "bzip2";
APT::Compressor::bzip2::Extension ".bz2";
APT::Compressor::bzip2::Binary "bzip2";
APT::Compressor::bzip2::Cost "3";
APT::Compressor::bzip2::CompressArg "";
APT::Compressor::bzip2::CompressArg:: "-9";
APT::Compressor::bzip2::UncompressArg "";
APT::Compressor::bzip2::UncompressArg:: "-d";
APT::Compressor::xz "";
APT::Compressor::xz::Name "xz";
APT::Compressor::xz::Extension ".xz";
APT::Compressor::xz::Binary "xz";
APT::Compressor::xz::Cost "4";
APT::Compressor::xz::CompressArg "";
APT::Compressor::xz::CompressArg:: "-6";
APT::Compressor::xz::UncompressArg "";
APT::Compressor::xz::UncompressArg:: "-d";
APT::Compressor::lzma "";
APT::Compressor::lzma::Name "lzma";
APT::Compressor::lzma::Extension ".lzma";
APT::Compressor::lzma::Binary "xz";
APT::Compressor::lzma::Cost "5";
APT::Compressor::lzma::CompressArg "";
APT::Compressor::lzma::CompressArg:: "--format=lzma";
APT::Compressor::lzma::CompressArg:: "-9";
APT::Compressor::lzma::UncompressArg "";
APT::Compressor::lzma::UncompressArg:: "--format=lzma";
APT::Compressor::lzma::UncompressArg:: "-d";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::mirrors "mirrors/";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trusted "trusted.gpg";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::solvers "";
Dir::Bin::solvers:: "/usr/lib/apt/solvers";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Bin::bzip2 "/bin/bzip2";
Dir::Bin::xz "/usr/bin/xz";
Dir::Bin::lzma "/usr/bin/xz";
Dir::Media "";
Dir::Media::MountPath "/media/cdrom";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.save$";
Dir::Ignore-Files-Silently:: "\.orig$";
Dir::Ignore-Files-Silently:: "\.distUpgrade$";
Acquire "";
Acquire::cdrom "";
Acquire::cdrom::mount "/media/cdrom";
Acquire::Languages "";
Acquire::Languages:: "en_US";
Acquire::Languages:: "en";
Acquire::Languages:: "none";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Tools "";
DPkg::Tools::Options "";
DPkg::Tools::Options::/usr/bin/apt-listchanges "";
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
CommandLine "";
CommandLine::AsString "apt-config dump";

-- (no /etc/apt/preferences present) --


-- /etc/apt/sources.list --

# 

# deb cdrom:[Debian GNU/Linux 8.5.0 _Jessie_ - Official amd64 DVD Binary-1 20160604-15:35]/ jessie contrib main

# deb cdrom:[Debian GNU/Linux 8.5.0 _Jessie_ - Official amd64 DVD Binary-1 20160604-15:35]/ jessie contrib main

deb http://httpredir.debian.org/debian jessie main
deb-src http://httpredir.debian.org/debian jessie main

deb http://httpredir.debian.org/debian jessie-updates main
deb-src http://httpredir.debian.org/debian jessie-updates main

deb http://security.debian.org/ jessie/updates main contrib
deb-src http://security.debian.org/ jessie/updates main contrib

# jessie-updates, previously known as 'volatile'
# A network mirror was not selected during install.  The following entries
# are provided as examples, but you should amend them as appropriate
# for your mirror of choice.
#
# deb http://ftp.debian.org/debian/ jessie-updates main contrib
# deb-src http://ftp.debian.org/debian/ jessie-updates main contrib
*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  debian-archive-keyring  2014.3
ii  gnupg                   1.4.18-7+deb8u1
ii  libapt-pkg4.12          1.0.9.8.3
ii  libc6                   2.19-18+deb8u4
ii  libgcc1                 1:4.9.2-10
ii  libstdc++6              4.9.2-10

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc     <none>
ii  aptitude    0.6.11-1+b1
pn  dpkg-dev    <none>
ii  python-apt  0.9.3.12

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 1.3~pre1

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 828812@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 07 Jul 2016 20:25:18 +0200
Source: apt
Binary: apt libapt-pkg5.0 libapt-inst2.0 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source
Version: 1.3~pre1
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Description:
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package management related utility programs
 libapt-inst2.0 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg5.0 - package management runtime library
Closes: 420940 825216 827930 828011 828812 828908 829232 829651
Changes:
 apt (1.3~pre1) unstable; urgency=medium
 .
   Upload to unstable from the pub because Niels wanted it
 .
   [ David Kalnischkies ]
   * show right binary name in simulation notice (Closes: 825216)
   * imbue datetime parsing with C.UTF-8 locale (Closes: 828011)
   * imbue .diff/Index parsing with C.UTF-8 as well
   * close server if parsing of header field failed
   * add myself to Uploaders
   * eipp: implement version 0.1 of the protocol
   * eipp: provide the internal planer as an external one
   * eipp: make no difference between remove & purge
   * eipp: properly handle arch-specific provides
   * eipp: implement Immediate-Configuration flag
   * eipp: add Allow-Temporary-Remove-of-Essentials
   * eipp: rename stanza 'Install' to 'Unpack'
   * eipp: enable xz-compressed scenario logging
   * if conf unset, don't read / as conf/pref/sources dir
   * don't do atomic overrides with failed files (Closes: 828908)
   * if reading of autobit state failed, let write fail
   * write auto-bits before calling dpkg & again after if needed
   * protect only the latest same-source providers from autoremove
   * reinstalling local deb file is no downgrade
   * do not treat same-version local debs as downgrade
   * alias apt-key list to finger (Closes: 829232)
   * warn if apt-key is used in scripts/its output parsed
   * deprecate 'apt-key update' and no-op it in Debian
   * use +0000 instead of UTC by default as timezone in output
   * avoid 416 response teardown binding to null pointer
   * report write errors in EDSP/EIPP properly back to caller
   * EIPP/EDSP log can't be written is a warning, not an error
   * don't change owner/perms/times through file:// symlinks
   * report all instead of first error up the acquire chain
   * keep trying with next if connection to a SRV host failed
 .
   [ Zhou Mo ]
   * zh_CN.po: update simplified chinese translation
 .
   [ Julian Andres Klode ]
   * methods/ftp: Cope with weird PASV responses.
     Thanks to Lukasz Stelmach for the initial patch (Closes: #420940)
   * Fix buffer overflow in debListParser::VersionHash() (Closes: #828812)
   * cache: Bump minor version to 6
   * indextargets: Check that cache could be built before using it
     (Closes: #829651)
 .
   [ Nicolas Le Cam ]
   * Use the ConditionACPower feature of systemd in the apt-daily service
     (Closes: #827930)
   * Add a apt suggests powermgmt-base
Checksums-Sha1:
 9439b5c447bd2ea5ebeb5aafe4421e62dbd5befc 2394 apt_1.3~pre1.dsc
 2c9c63296cbf8ffdd0755016470c86a1cb222c37 2080144 apt_1.3~pre1.tar.xz
Checksums-Sha256:
 f6629af660c31ddf05f2f2381c8e095697ef7775d7b41c2b98483bc010acf7f4 2394 apt_1.3~pre1.dsc
 2ca1e437984be6d08e9b94b2ebd6d82c6da23fd95fa5fef35edfff2e5caa8a28 2080144 apt_1.3~pre1.tar.xz
Files:
 765b3f139ee37f9e32c5d4ccc2f10bb5 2394 admin important apt_1.3~pre1.dsc
 54025ff12b3457ebf391cbbf9559d36f 2080144 admin important apt_1.3~pre1.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXfqHmAAoJENc8OeVlgLOG/8YP/2ej0Ga9T2G95h6l17gjpm4Y
Xxeo7zZWcrjlAV+IptDwdZGh2OH2gY3qf+vVXaK0ZhR0ZpiLWZXS9lEvOIjzpyFD
GAAAjQnTGlkSHo8XroimEfVb9r8vh6j2RsT3OKN0HsKSXp/B+CFXKIz656OKYbAT
s7FteDfpe4hxeFk8tHFfHleCaOTXTy2KhvQ0i3PPMJi/lA+BuVwCm5V9olP7gGQL
GJw+QGQsD00kDHPiWWtLG0x+d0NWOoByfa0Eg32sOl0/VF22PlDl4QVU7unu3sLw
aGLQa3rbKShqVtAnztSJjgVzhPmUFyd3/7Na2pa7XBv66dc7WIl85a6+EUXUBOjU
mOFbFEEJrK4ecGVZsZ/l3uc4s/NqT1C1Tjxd40oAZAl3VY1VrTvXKifMGSsNuG7g
cSHTR9KzfcmZFQ7XvOZPYJ2yzLiGYL6OjWWgimzmiZftVM0ZjoLiZkoz+SxbMVTM
3901ehX3Vws9fNbMZRg9F2zrzzGcRpoSGtnTpgQcmuQlLhWPi4CKqnitRsgPmMVh
2dJIyxQ94uhVmGp2gtyaBAsS7iXRuWF1Cf/H/ovA9iRs0Rm+m+Utrq0syti50D1M
bIToqcHwU8MH9x5AWUWa/mk2Q1n9e+ZCi73u1J1S3cU84VIbOcXuq0B2+zflqRjY
RjX8pFX8vCGyIxWjTO1u
=UcRb
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: