Bug#828812: apt: buffer overrun in ListParser::VersionHash()
On Mon, Jun 27, 2016 at 10:19:32PM -0700, J.T. Conklin wrote:
> Package: apt
> Version: 1.0.9.8.3
> Severity: important
>
> Dear Maintainer,
>
> I encountered a stack-smash error in apt-get caused by the contents of
> the "Depends" header of one of my packages. While the crash occurred on
> Ubuntu 14.04, the problem is still present in the apt sources as cloned
> from git this evening.
>
> In ListParser::VersionHash(), if a header (Depends, Pre-Depends, etc.)
> value is less than 1024 bytes (sizeof(S)) in length, it is copied into
> S. As each character is processed, ASCII space characters are skipped,
> upper case characters are converted to lower case, and "<" & ">"
> characters are converted to "<=" and ">=".
>
> The latter conversion may result in a buffer overrun, especially if the
> header value is close to 1024 bytes in length, as it increases the over-
> all length of the data being copied.
Not really - only if the Packages file is broken. A correct packages files
has a depends of the form
pkg (< version)
the normalizer creates
pkg(<=version)
- Changing "< " to "<=" does not make the string longer.
>
> I can see several ways that this problem might be addressed, including
> truncating the copy at 1024 bytes, using a dynamic buffer (std::vector
> or std::string), etc.
The easiest way is probably to just replace <= with < and >= with > to
solve this. This means we're normalizing to the old format, but that's
not a huge issue.
See
https://github.com/julian-klode/apt/compare/master...julian-klode:bugfix/versionhash-overflow?expand=1
I'll see if I can come up with a test case for that.
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
Reply to: