* Ximin Luo <infini...@debian.org> [191223 09:16]:
> A long-term fix would be to fix this:
>
> line 151-166:
> if (f->size - f->ofs <= 2048) {
> /* Adding code to enlarge the buffer in this case
> * is risky as hard to test properly.
> *
> * Also it is almost certainly caused by some
> * mis-representation of the file or perhaps
> * some attack. Requesting all existing memory in
> * those cases does not sound very useful. */
>
> fprintf(stderr,
> "Error parsing %s line %d: Ridiculous long (>= 256K) control chunk!\n",
> f->filename,
> f->startlinenumber);
> f->failed = true;
> return RET_ERROR;
> }
>
> One reasonable option would be to rip out this code and use whatever dpkg
> itself is using to parse the fields.
As the comment describes, accepting arbitrary long control data would
open all kind of security issues and require quite some hard to properly
test code. Most of the attacks enabled by having longer control chunks
might be able to mitigated some way, but that would require all kind of
different logic that can then have some new bugs.
So allowing arbitrary absurdly long control data is not something I want
to support.
Bernhard R. Link
