Your message dated Thu, 26 Nov 2015 21:17:06 +0000 with message-id <[email protected]> and subject line Bug#798324: fixed in dpkg 1.17.26 has caused the Debian Bug report #798324, regarding dpkg-deb: Fix off-by-one write access on versionbuf variable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 798324: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798324 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dpkg Version: 1.18.2 Severity: normal Tags: patch The following was reported by Jacek Wielemborek: ----- Begin forwarded message ----- Dear Maintainer, I built dpkg with afl-gcc and AFL_USE_ASAN=1. Here's the base64-encoded .deb file it generated: ITxhcmNoPopkZWJpYW4tYmluYXJ5ICAgMTQ0MTIxMTQ1NiAgMCAgICAgMCAgICAgMTAwNjQ0ICA0 ICAgICAgICAgYAoyLjAKY29udHJvbC50YXIuZ3ogIDE0NDEyMTE0NTYgIDAgICAgIDAgICAgIDEw MDY0NCAgNDc1ICAgICAgIGAKH4sIAAAAAAACA+3RS4vbMBAAYJ/1K+bWBBK/uo6paZcWUmgpC4GE 3rXWJBarSEaSN00P/e1V/Ng+oO0ppYX5sLEsyTNjTZxEV5cGZVH0z+DnZz/O8qLMVnme9fNlmRYR FNFf0DnPLUBkjfG/2/en9f9UnNRGe2vUlfu/urn5Vf+ztMh/7H+WPU9XEaTU/6vb8PqBH7CC9uwb o5f4iR9bhY5tTWfrb/MC97xT3rGPaJ00uoI8LuMXy4y9sXUjPda+s2E7V4rdcal9uNFWcMe9byR3 8EEZh/BSmAfzWuC95Do29nDL3uvQAKVQLLfycwiwYmtsUQs3pYbZ7asp2XwxTob3p1K/3/Blzrah lL7AYSfbWGms9OcKTHtZ4Iq9M0ds+79uvG+rJDmdTvGw/VJUEkpwtZXtEOcpz95Y8A3CZqhLcX3o QhSYjYcDj8PZzBm8Hb9ZwBqPxgHXAnbGqCHIECCGXYPhTLhF2MtLAqlr1QkUYcD6TF3rvEV+nFIK Gd7lfXcpLGYQrl0jHbRDEyEMOYj++FDX52l+AadG1s244iAEWvcdeOZgLJ1NGcZfgFndWYvaqzM8 hrOdxywihBBCCCGEEEIIIYQQQgghhBBCCCH/oK+zNHmVACgAAAo= And here's the crash: root@1442a2c3a089:~/fuzz/dpkg/o/crashes# dpkg --info id\:000000\,sig\:06\,src\:000000\,op\:flip1\,pos\:7 ================================================================= ==11286==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbdcdf338 at pc 0x00000040cf49 bp 0x7fffbdcdef70 sp 0x7fffbdcdef68 WRITE of size 1 at 0x7fffbdcdf338 thread T0 #0 0x40cf48 (/usr/bin/dpkg-deb+0x40cf48) #1 0x410dfe (/usr/bin/dpkg-deb+0x410dfe) #2 0x4056e2 (/usr/bin/dpkg-deb+0x4056e2) #3 0x7f38390b8b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #4 0x4074ca (/usr/bin/dpkg-deb+0x4074ca) Address 0x7fffbdcdf338 is located in stack of thread T0 at offset 872 in frame #0 0x40b4bf (/usr/bin/dpkg-deb+0x40b4bf) This frame has 13 object(s): [32, 33) 'nlc' [96, 100) 'dummy' [160, 168) 'version' [224, 232) 'ctrllennum' [288, 304) 'err' [352, 384) 'cmd' [416, 424) 'p1' [480, 488) 'p2' [544, 604) 'arh' [640, 784) 'stab' [832, 872) 'versionbuf' <== Memory access at offset 872 overflows this variable [928, 968) 'ctrllenbuf' [1024, 1224) 'buf' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x100077b93e10: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 0x100077b93e20: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 f4 0x100077b93e30: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 0x100077b93e40: 00 00 00 00 00 04 f2 f2 f2 f2 00 00 00 00 00 00 0x100077b93e50: 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4 f2 f2 =>0x100077b93e60: f2 f2 00 00 00 00 00[f4]f4 f4 f2 f2 f2 f2 00 00 0x100077b93e70: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 0x100077b93e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100077b93e90: 00 00 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 0x100077b93ea0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 0x100077b93eb0: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==11286==ABORTING To be on the safe side, I'm reporting it as a critical security vuln because this is a memory error in the core component. Please contact me on [email protected]. ----- End forwarded message ----- Quoting Guillem: > The .deb is an ar archive w/o the '\n' trailer on the «!<arch>» magic > value. The dpkg-deb/extract.c:extracthalf() function calls read_line() > passing to it versionbuf with the off-by-one length, that one writes > 41 bytes into it (with a trailing \0), stomping on whatever is next in > the stack. But this should in principle have no visible effect because > regardless of how the compiler has organized the local stack, any > subsequently used local variable is first assigned so the trailing \0 > would not be in effect, and versionbuf is only ever used to compare > against shorter constant strings, which should all fail, the first > against "!<arch>\n", then against "0.93", and after that it just > aborts the program. Attached is the corresponding patch. Regards, Salvatore>From ac3ee4c3db5ecca5d2c343415273823da4c107ae Mon Sep 17 00:00:00 2001 From: Guillem Jover <[email protected]> Date: Sun, 6 Sep 2015 21:25:00 +0200 Subject: [PATCH] dpkg-deb: Fix off-by-one write access on versionbuf variable Reported-by: Jacek Wielemborek <[email protected]> --- dpkg-deb/extract.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c index d5ac05c..1d2a76a 100644 --- a/dpkg-deb/extract.c +++ b/dpkg-deb/extract.c @@ -131,7 +131,7 @@ extracthalf(const char *debar, const char *dir, if (fstat(arfd, &stab)) ohshite(_("failed to fstat archive")); - r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf)); + r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf) - 1); if (r < 0) read_fail(r, debar, _("archive magic version number")); -- 2.5.1
--- End Message ---
--- Begin Message ---Source: dpkg Source-Version: 1.17.26 We believe that the bug you reported is fixed in the latest version of dpkg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guillem Jover <[email protected]> (supplier of updated dpkg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 25 Nov 2015 22:54:54 +0100 Source: dpkg Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect Architecture: source amd64 all Version: 1.17.26 Distribution: jessie-security Urgency: high Maintainer: Dpkg Developers <[email protected]> Changed-By: Guillem Jover <[email protected]> Description: dpkg - Debian package management system dpkg-dev - Debian package development tools dselect - Debian package management front-end libdpkg-dev - Debian package management static library libdpkg-perl - Dpkg perl modules Closes: 785095 798324 799020 Changes: dpkg (1.17.26) jessie-security; urgency=high . [ Guillem Jover ] * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic. Reported by Jacek Wielemborek <[email protected]>. Closes: #798324 * Fix an off-by-one write access in dpkg-deb when parsing the old format .deb control member size. Thanks to Hanno Böck <[email protected]>. Fixes CVE-2015-0860. * Fix an off-by-one read access in dpkg-deb when parsing ar member names. Thanks to Hanno Böck <[email protected]>. . [ Updated programs translations ] * Catalan (Jordi Mallach). * Turkish (Mert Dirik). Closes: #785095 . [ Updated scripts translations ] * German (Helge Kreutzmann). (Various fixes) * Spanish (Santiago Vila). Closes: #799020 . [ Updated manpages translations ] * German (Helge Kreutzmann). (Various fixes) Checksums-Sha1: 4d26f56352980cbc57a78608a184b5a3c5ff68f9 2018 dpkg_1.17.26.dsc 27e5649d983cae956268207bce59a70fe6379fe9 4410860 dpkg_1.17.26.tar.xz fd4a781cf539aaf1295c7e9bf74a59e8d6519102 876250 libdpkg-dev_1.17.26_amd64.deb ceac73c668ba615aaa6b362d48442c357ea9fff5 2990646 dpkg_1.17.26_amd64.deb 6fc7417719fb0dcba5976fe70541deed3500188f 1138140 dselect_1.17.26_amd64.deb 255b9b778d564260af540c71b07d186c01c19504 1544868 dpkg-dev_1.17.26_all.deb c69b0ab1888620beda2bfb75b8cd5f9bd001e2d1 1071662 libdpkg-perl_1.17.26_all.deb Checksums-Sha256: aa6d4bf6a85bf8f469d64a5ec28a53486ab216c7d1dc87e05d8395fb4540cf33 2018 dpkg_1.17.26.dsc aa4e758752cdfd7ecb118d7a7d31139a0c090c92aa494aa2e46603006deb1ec8 4410860 dpkg_1.17.26.tar.xz 725690fb240417a05d9b6442c00e50a61f599764a91edab7e0ae25116ba50859 876250 libdpkg-dev_1.17.26_amd64.deb 95599abfb639919c49f45fc5dd2aa6b0cb9f9703c3d4eac4b5a5dee9c8bce4be 2990646 dpkg_1.17.26_amd64.deb f3f16a6ec68a4ad2b02b796340d3deca42fffa646b1b469006a7dd00165fd373 1138140 dselect_1.17.26_amd64.deb 3a831ae1b534677c664c84be3d3930720a7db32e9d177e27a5048ef807ef3113 1544868 dpkg-dev_1.17.26_all.deb 8871dcffccbdea243fdd5cd98b18895b7b9bee074be7fce7458a493f6e6fc174 1071662 libdpkg-perl_1.17.26_all.deb Files: 50037d0f2e9f98fe8fccae80aac4add4 2018 admin required dpkg_1.17.26.dsc 07911f1c575f196f108a3c19c5bd517e 4410860 admin required dpkg_1.17.26.tar.xz ad024fd557a6e958f18ac96a79328edf 876250 libdevel optional libdpkg-dev_1.17.26_amd64.deb 303a76790d0823abb91e88e6ea6a6a71 2990646 admin required dpkg_1.17.26_amd64.deb 33746c56b130230a079cc5f6c2d32044 1138140 admin optional dselect_1.17.26_amd64.deb 33f80c3a5bbab02ca909fb252ff0b91f 1544868 utils optional dpkg-dev_1.17.26_all.deb bf7f0c73d5e8e47c67f46e03e48571a7 1071662 perl optional libdpkg-perl_1.17.26_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWVthdAAoJELlyvz6krlej29AP/RBtN+fseWtki+KIAtOqgSX3 EXeF8jwTBFsHDjGtumHryELgWcLHNdTVi+CXLSofhVz2GL8DkXewYUwEmmS7SaKn dFdtsJjAfEjDAJ87iUgqM4Iot9v6c/WfhNHWowvmQ1x0AyVwhymaTfM0JHmR2vWf VvXuUxlHulCkhsF0VGiP8+B93ruAooSCdnKexZzHR03L/mAPVUwXR3p3U5IZk5Yt Q/gannxhlbBgBucUYnRh3WV+DB7U7UlHYXk2wbQzY4QUUu7HfmblyeIZnhOdz8+s Q4+0vn2Ni6CMbRdFP/txl67QDZZgazWVJpQoapzk9OQQ4FO73CQ5s+utZm6bDPIy 2zbeGzUzX+AUiDVP2SYr4Vvv0wRU4hwf6beU40xjGit90SUZ2xy//iw7O7YokHZ4 eR4LMMVefHb0okS0HISHfZILfJaWCpI5YXwQH09mqLJY0OhVruxawn69HrU1z1vs j2uEAv+BPCfuzhuVDFnFV0IK4pVRMMFINaRZAi4fPnzEyAA5zD7Wwlbwt2d4a9GX ZpUNnXp2hkixR7vPK6fZkdIc/RSByZyQ+wqt4uyu5M4R3n4Kv4VbOzyppmdiTkcz mUR/LTolGh+CqpsyCMBeqn0l+flmo1KAKSP6WDRrAS3MGo2doQCsubntAKVjAMmV PMyNIxZb12mEmsUQQEON =G83v -----END PGP SIGNATURE-----
--- End Message ---

