Bug#828812: apt: buffer overrun in ListParser::VersionHash()
Julian Andres Klode <jak@debian.org> writes:
>> The latter conversion may result in a buffer overrun, especially if the
>> header value is close to 1024 bytes in length, as it increases the over-
>> all length of the data being copied.
>
> Not really - only if the Packages file is broken.
Although, we don't want a broken Packages file to render apt unusable,
right?
> A correct packages files
> has a depends of the form
> pkg (< version)
> the normalizer creates
> pkg(<=version)
> - Changing "< " to "<=" does not make the string longer.
But it would change "pkg(<version)" to "pkg(<=version)", which is
longer. My understanding from section 7.1 of the Policy Manual is
that whitespace is recommended, but not required.
The odd thing is... I've checked to confirm that our packages use ">="
instead of ">". Since I didn't have a chance to rebuild with symbols, my
assumption had been that some higher layer code was normalizing "<=" and
">=" to the old format, and ListParser::VersionHash() was re-normalizing
them.
FWIW, we use the semantic versioning conventions, and all our package
dependencies have both a version floor and ceiling, like:
Depends: foo(<<3.0.0),foo(>=2.1.0),bar(<<4.0.0),bar(>=3.6.0)
Specifying both floor and ceiling tends to result in long dependency lists.
> The easiest way is probably to just replace <= with < and >= with > to
> solve this. This means we're normalizing to the old format, but that's
> not a huge issue.
>
> See
>
> https://github.com/julian-klode/apt/compare/master...julian-klode:bugfix/versionhash-overflow?expand=1
Looks good to me.
--jtc
Reply to: