Bug#926969: marked as done (libapt-pkg: SetSignedBy can attempt to access index -1 in an array)

To: David Kalnischkies <david@kalnischkies.de>
Subject: Bug#926969: marked as done (libapt-pkg: SetSignedBy can attempt to access index -1 in an array)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 14 Apr 2019 09:21:04 +0000
Message-id: <[🔎] handler.926969.D926969.155523356114176.ackdone@bugs.debian.org>
Reply-to: 926969@bugs.debian.org
References: <20190414091908.ox5j7navzgshcprd@crossbow>

Your message dated Sun, 14 Apr 2019 11:19:08 +0200
with message-id <20190414091908.ox5j7navzgshcprd@crossbow>
and subject line Re: Bug#926969: libapt-pkg: SetSignedBy can attempt to access index -1 in an array
has caused the Debian Bug report #926969,
regarding libapt-pkg: SetSignedBy can attempt to access index -1 in an array
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926969
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapt-pkg: SetSignedBy can attempt to access index -1 in an array
From: Sam Bingner <sam@bingner.com>

Package: libapt-pkg5.0
Version: 1.4.9
Severity: normal
Tags: patch

Dear Maintainer,

In troubleshooting of another problem I found an invalid memory access testing with ASAN.  Attached is a patch to ensure this does not happen.


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libapt-pkg5.0 depends on:
ii  libbz2-1.0  1.0.6-8.1
ii  libc6       2.24-11+deb9u3
ii  libgcc1     1:6.3.0-18+deb9u1
ii  liblz4-1    0.0~r131-2+b1
ii  liblzma5    5.2.2-1.2+b1
ii  libstdc++6  6.3.0-18+deb9u1
ii  zlib1g      1:1.2.8.dfsg-5

Versions of packages libapt-pkg5.0 recommends:
ii  apt  1.4.9

libapt-pkg5.0 suggests no packages.

-- no debconf information

commit 706e8fe6cb93323e6b03c662aaced03a36db3574
Author: Sam Bingner <sam@bingner.com>
Date:   Thu Apr 11 13:31:14 2019 -1000

    Don't access invalid string indexes

diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index f25906fba..610965024 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -682,13 +682,13 @@ bool debReleaseIndex::SetSignedBy(std::string const &pSignedBy)
         SignedBy = os.str();
       }
       // Normalize the string: Remove trailing commas
-      while (SignedBy[SignedBy.size() - 1] == ',')
+      while (SignedBy.size() > 0 && SignedBy[SignedBy.size() - 1] == ',')
         SignedBy.resize(SignedBy.size() - 1);
    }
    else {
       // Only compare normalized strings
       auto pSignedByView = APT::StringView(pSignedBy);
-      while (pSignedByView[pSignedByView.size() - 1] == ',')
+      while (pSignedByView.size() > 0 && pSignedByView[pSignedByView.size() - 1] == ',')
         pSignedByView = pSignedByView.substr(0, pSignedByView.size() - 1);
       if (pSignedByView != SignedBy)
         return _error->Error(_("Conflicting values set for option %s regarding source %s %s: %s != %s"), "Signed-By", URI.c_str(), Dist.c_str(), SignedBy.c_str(), pSignedByView.to_string().c_str());

--- End Message ---

--- Begin Message ---

To: Sam Bingner <sam@bingner.com>, 926969-done@bugs.debian.org
Subject: Re: Bug#926969: libapt-pkg: SetSignedBy can attempt to access index -1 in an array
From: David Kalnischkies <david@kalnischkies.de>
Date: Sun, 14 Apr 2019 11:19:08 +0200
Message-id: <20190414091908.ox5j7navzgshcprd@crossbow>

Version: 1.8.0~alpha1

Hi Sam,

thanks for the patch!

The issue was fixed in 1.8.0~alpha1 while introducing support for subkeys,
specifically in git commit ff8fa4ab4b80384a9240f0df63181f71077a8d83.

I am therefore closing this bug for newer versions. I don't think it is
problematic enough to warrant backporting or do you have a specific
situation in mind in which this is a huge pain?

Regarding the patch itself I think "not foo.empty()" would be better than
"foo.size() > 0". Better still might be using APT::String::Endswith.
(Can't wait for C++20 finally adding starts/ends_with. It is usually the
first helper function I am adding to new projects…)


Best regards

David Kalnischkies

P.S.: For some reason this bugreport did not end up on the mailinglist.
I only saw it as new bugreports are announced on our IRC channel by the
BTS bot. It seems not to be refused as spam outright, although
MISSING_DATE among other things is probably hurting. Listmasters might
be able to tell you what happened to your mail exactly.

Attachment: signature.asc
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: ;"You Have Won!"£100,000"
Next by Date: Re: Bug#926631: Error HTTP 403 on several deb packages through apt-cacher-ng
Previous by thread: ;"You Have Won!"£100,000"
Next by thread: Re: Bug#926631: Error HTTP 403 on several deb packages through apt-cacher-ng
Index(es):
- Date
- Thread