Your message dated Thu, 26 Nov 2015 21:17:06 +0000
with message-id <[email protected]>
and subject line Bug#798324: fixed in dpkg 1.17.26
has caused the Debian Bug report #798324,
regarding dpkg-deb: Fix off-by-one write access on versionbuf variable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
798324: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798324
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg
Version: 1.18.2
Severity: normal
Tags: patch

The following was reported by Jacek Wielemborek:

----- Begin forwarded message -----

Dear Maintainer,

I built dpkg with afl-gcc and AFL_USE_ASAN=1. Here's the base64-encoded
 .deb file it generated:

ITxhcmNoPopkZWJpYW4tYmluYXJ5ICAgMTQ0MTIxMTQ1NiAgMCAgICAgMCAgICAgMTAwNjQ0ICA0
ICAgICAgICAgYAoyLjAKY29udHJvbC50YXIuZ3ogIDE0NDEyMTE0NTYgIDAgICAgIDAgICAgIDEw
MDY0NCAgNDc1ICAgICAgIGAKH4sIAAAAAAACA+3RS4vbMBAAYJ/1K+bWBBK/uo6paZcWUmgpC4GE
3rXWJBarSEaSN00P/e1V/Ng+oO0ppYX5sLEsyTNjTZxEV5cGZVH0z+DnZz/O8qLMVnme9fNlmRYR
FNFf0DnPLUBkjfG/2/en9f9UnNRGe2vUlfu/urn5Vf+ztMh/7H+WPU9XEaTU/6vb8PqBH7CC9uwb
o5f4iR9bhY5tTWfrb/MC97xT3rGPaJ00uoI8LuMXy4y9sXUjPda+s2E7V4rdcal9uNFWcMe9byR3
8EEZh/BSmAfzWuC95Do29nDL3uvQAKVQLLfycwiwYmtsUQs3pYbZ7asp2XwxTob3p1K/3/Blzrah
lL7AYSfbWGms9OcKTHtZ4Iq9M0ds+79uvG+rJDmdTvGw/VJUEkpwtZXtEOcpz95Y8A3CZqhLcX3o
QhSYjYcDj8PZzBm8Hb9ZwBqPxgHXAnbGqCHIECCGXYPhTLhF2MtLAqlr1QkUYcD6TF3rvEV+nFIK
Gd7lfXcpLGYQrl0jHbRDEyEMOYj++FDX52l+AadG1s244iAEWvcdeOZgLJ1NGcZfgFndWYvaqzM8
hrOdxywihBBCCCGEEEIIIYQQQgghhBBCCCH/oK+zNHmVACgAAAo=

And here's the crash:

root@1442a2c3a089:~/fuzz/dpkg/o/crashes# dpkg --info
id\:000000\,sig\:06\,src\:000000\,op\:flip1\,pos\:7
=================================================================
==11286==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffbdcdf338 at pc 0x00000040cf49 bp 0x7fffbdcdef70 sp 0x7fffbdcdef68
WRITE of size 1 at 0x7fffbdcdf338 thread T0
    #0 0x40cf48  (/usr/bin/dpkg-deb+0x40cf48)
    #1 0x410dfe  (/usr/bin/dpkg-deb+0x410dfe)
    #2 0x4056e2  (/usr/bin/dpkg-deb+0x4056e2)
    #3 0x7f38390b8b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #4 0x4074ca  (/usr/bin/dpkg-deb+0x4074ca)

Address 0x7fffbdcdf338 is located in stack of thread T0 at offset 872 in
frame
    #0 0x40b4bf  (/usr/bin/dpkg-deb+0x40b4bf)

  This frame has 13 object(s):
    [32, 33) 'nlc'
    [96, 100) 'dummy'
    [160, 168) 'version'
    [224, 232) 'ctrllennum'
    [288, 304) 'err'
    [352, 384) 'cmd'
    [416, 424) 'p1'
    [480, 488) 'p2'
    [544, 604) 'arh'
    [640, 784) 'stab'
    [832, 872) 'versionbuf' <== Memory access at offset 872 overflows
this variable
    [928, 968) 'ctrllenbuf'
    [1024, 1224) 'buf'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x100077b93e10: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e20: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 f4
  0x100077b93e30: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e40: 00 00 00 00 00 04 f2 f2 f2 f2 00 00 00 00 00 00
  0x100077b93e50: 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4 f2 f2
=>0x100077b93e60: f2 f2 00 00 00 00 00[f4]f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e70: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
  0x100077b93e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077b93e90: 00 00 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00
  0x100077b93ea0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
  0x100077b93eb0: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11286==ABORTING

To be on the safe side, I'm reporting it as a critical security vuln
because this is a memory error in the core component. Please contact me
on [email protected].

----- End forwarded message -----

Quoting Guillem:

> The .deb is an ar archive w/o the '\n' trailer on the «!<arch>» magic
> value. The dpkg-deb/extract.c:extracthalf() function calls read_line()
> passing to it versionbuf with the off-by-one length, that one writes
> 41 bytes into it (with a trailing \0), stomping on whatever is next in
> the stack. But this should in principle have no visible effect because
> regardless of how the compiler has organized the local stack, any
> subsequently used local variable is first assigned so the trailing \0
> would not be in effect, and versionbuf is only ever used to compare
> against shorter constant strings, which should all fail, the first
> against "!<arch>\n", then against "0.93", and after that it just
> aborts the program.

Attached is the corresponding patch.

Regards,
Salvatore
>From ac3ee4c3db5ecca5d2c343415273823da4c107ae Mon Sep 17 00:00:00 2001
From: Guillem Jover <[email protected]>
Date: Sun, 6 Sep 2015 21:25:00 +0200
Subject: [PATCH] dpkg-deb: Fix off-by-one write access on versionbuf variable

Reported-by: Jacek Wielemborek <[email protected]>
---
 dpkg-deb/extract.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c
index d5ac05c..1d2a76a 100644
--- a/dpkg-deb/extract.c
+++ b/dpkg-deb/extract.c
@@ -131,7 +131,7 @@ extracthalf(const char *debar, const char *dir,
   if (fstat(arfd, &stab))
     ohshite(_("failed to fstat archive"));
 
-  r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf));
+  r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf) - 1);
   if (r < 0)
     read_fail(r, debar, _("archive magic version number"));
 
-- 
2.5.1


--- End Message ---
--- Begin Message ---
Source: dpkg
Source-Version: 1.17.26

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 25 Nov 2015 22:54:54 +0100
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.17.26
Distribution: jessie-security
Urgency: high
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Description:
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 785095 798324 799020
Changes:
 dpkg (1.17.26) jessie-security; urgency=high
 .
   [ Guillem Jover ]
   * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
     Reported by Jacek Wielemborek <[email protected]>. Closes: #798324
   * Fix an off-by-one write access in dpkg-deb when parsing the old format
     .deb control member size. Thanks to Hanno Böck <[email protected]>.
     Fixes CVE-2015-0860.
   * Fix an off-by-one read access in dpkg-deb when parsing ar member names.
     Thanks to Hanno Böck <[email protected]>.
 .
   [ Updated programs translations ]
   * Catalan (Jordi Mallach).
   * Turkish (Mert Dirik). Closes: #785095
 .
   [ Updated scripts translations ]
   * German (Helge Kreutzmann). (Various fixes)
   * Spanish (Santiago Vila). Closes: #799020
 .
   [ Updated manpages translations ]
   * German (Helge Kreutzmann). (Various fixes)
Checksums-Sha1:
 4d26f56352980cbc57a78608a184b5a3c5ff68f9 2018 dpkg_1.17.26.dsc
 27e5649d983cae956268207bce59a70fe6379fe9 4410860 dpkg_1.17.26.tar.xz
 fd4a781cf539aaf1295c7e9bf74a59e8d6519102 876250 libdpkg-dev_1.17.26_amd64.deb
 ceac73c668ba615aaa6b362d48442c357ea9fff5 2990646 dpkg_1.17.26_amd64.deb
 6fc7417719fb0dcba5976fe70541deed3500188f 1138140 dselect_1.17.26_amd64.deb
 255b9b778d564260af540c71b07d186c01c19504 1544868 dpkg-dev_1.17.26_all.deb
 c69b0ab1888620beda2bfb75b8cd5f9bd001e2d1 1071662 libdpkg-perl_1.17.26_all.deb
Checksums-Sha256:
 aa6d4bf6a85bf8f469d64a5ec28a53486ab216c7d1dc87e05d8395fb4540cf33 2018 
dpkg_1.17.26.dsc
 aa4e758752cdfd7ecb118d7a7d31139a0c090c92aa494aa2e46603006deb1ec8 4410860 
dpkg_1.17.26.tar.xz
 725690fb240417a05d9b6442c00e50a61f599764a91edab7e0ae25116ba50859 876250 
libdpkg-dev_1.17.26_amd64.deb
 95599abfb639919c49f45fc5dd2aa6b0cb9f9703c3d4eac4b5a5dee9c8bce4be 2990646 
dpkg_1.17.26_amd64.deb
 f3f16a6ec68a4ad2b02b796340d3deca42fffa646b1b469006a7dd00165fd373 1138140 
dselect_1.17.26_amd64.deb
 3a831ae1b534677c664c84be3d3930720a7db32e9d177e27a5048ef807ef3113 1544868 
dpkg-dev_1.17.26_all.deb
 8871dcffccbdea243fdd5cd98b18895b7b9bee074be7fce7458a493f6e6fc174 1071662 
libdpkg-perl_1.17.26_all.deb
Files:
 50037d0f2e9f98fe8fccae80aac4add4 2018 admin required dpkg_1.17.26.dsc
 07911f1c575f196f108a3c19c5bd517e 4410860 admin required dpkg_1.17.26.tar.xz
 ad024fd557a6e958f18ac96a79328edf 876250 libdevel optional 
libdpkg-dev_1.17.26_amd64.deb
 303a76790d0823abb91e88e6ea6a6a71 2990646 admin required dpkg_1.17.26_amd64.deb
 33746c56b130230a079cc5f6c2d32044 1138140 admin optional 
dselect_1.17.26_amd64.deb
 33f80c3a5bbab02ca909fb252ff0b91f 1544868 utils optional 
dpkg-dev_1.17.26_all.deb
 bf7f0c73d5e8e47c67f46e03e48571a7 1071662 perl optional 
libdpkg-perl_1.17.26_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWVthdAAoJELlyvz6krlej29AP/RBtN+fseWtki+KIAtOqgSX3
EXeF8jwTBFsHDjGtumHryELgWcLHNdTVi+CXLSofhVz2GL8DkXewYUwEmmS7SaKn
dFdtsJjAfEjDAJ87iUgqM4Iot9v6c/WfhNHWowvmQ1x0AyVwhymaTfM0JHmR2vWf
VvXuUxlHulCkhsF0VGiP8+B93ruAooSCdnKexZzHR03L/mAPVUwXR3p3U5IZk5Yt
Q/gannxhlbBgBucUYnRh3WV+DB7U7UlHYXk2wbQzY4QUUu7HfmblyeIZnhOdz8+s
Q4+0vn2Ni6CMbRdFP/txl67QDZZgazWVJpQoapzk9OQQ4FO73CQ5s+utZm6bDPIy
2zbeGzUzX+AUiDVP2SYr4Vvv0wRU4hwf6beU40xjGit90SUZ2xy//iw7O7YokHZ4
eR4LMMVefHb0okS0HISHfZILfJaWCpI5YXwQH09mqLJY0OhVruxawn69HrU1z1vs
j2uEAv+BPCfuzhuVDFnFV0IK4pVRMMFINaRZAi4fPnzEyAA5zD7Wwlbwt2d4a9GX
ZpUNnXp2hkixR7vPK6fZkdIc/RSByZyQ+wqt4uyu5M4R3n4Kv4VbOzyppmdiTkcz
mUR/LTolGh+CqpsyCMBeqn0l+flmo1KAKSP6WDRrAS3MGo2doQCsubntAKVjAMmV
PMyNIxZb12mEmsUQQEON
=G83v
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to