Your message dated Thu, 07 Jul 2016 18:52:38 +0000 with message-id <[email protected]> and subject line Bug#828812: fixed in apt 1.3~pre1 has caused the Debian Bug report #828812, regarding apt: buffer overrun in ListParser::VersionHash() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 828812: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828812 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: apt Version: 1.0.9.8.3 Severity: important Dear Maintainer, I encountered a stack-smash error in apt-get caused by the contents of the "Depends" header of one of my packages. While the crash occurred on Ubuntu 14.04, the problem is still present in the apt sources as cloned from git this evening. In ListParser::VersionHash(), if a header (Depends, Pre-Depends, etc.) value is less than 1024 bytes (sizeof(S)) in length, it is copied into S. As each character is processed, ASCII space characters are skipped, upper case characters are converted to lower case, and "<" & ">" characters are converted to "<=" and ">=". The latter conversion may result in a buffer overrun, especially if the header value is close to 1024 bytes in length, as it increases the over- all length of the data being copied. I can see several ways that this problem might be addressed, including truncating the copy at 1024 bytes, using a dynamic buffer (std::vector or std::string), etc. I have not submitted a patch, as I don't feel I have the context to make the best implementation choice. That being said, I'm willing to follow up with a patch given such guidance. --jtc -- Package-specific info:-- apt-config dump -- APT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "1"; APT::Install-Suggests "0"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-headers-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^.*-modules-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-3\.16\.0-4-amd64$"; APT::NeverAutoRemove:: "^linux-tools-3\.16\.0-4-amd64$"; APT::VersionedKernelPackages ""; APT::VersionedKernelPackages:: "linux-image"; APT::VersionedKernelPackages:: "linux-headers"; APT::VersionedKernelPackages:: "linux-image-extra"; APT::VersionedKernelPackages:: "linux-signed-image"; APT::VersionedKernelPackages:: "kfreebsd-image"; APT::VersionedKernelPackages:: "kfreebsd-headers"; APT::VersionedKernelPackages:: "gnumach-image"; APT::VersionedKernelPackages:: ".*-modules"; APT::VersionedKernelPackages:: ".*-kernel"; APT::VersionedKernelPackages:: "linux-backports-modules-.*"; APT::VersionedKernelPackages:: "linux-tools"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Never-MarkAuto-Sections:: "oldlibs"; APT::Never-MarkAuto-Sections:: "restricted/oldlibs"; APT::Never-MarkAuto-Sections:: "universe/oldlibs"; APT::Never-MarkAuto-Sections:: "multiverse/oldlibs"; APT::Architectures ""; APT::Architectures:: "amd64"; APT::Compressor ""; APT::Compressor::. ""; APT::Compressor::.::Name "."; APT::Compressor::.::Extension ""; APT::Compressor::.::Binary ""; APT::Compressor::.::Cost "1"; APT::Compressor::gzip ""; APT::Compressor::gzip::Name "gzip"; APT::Compressor::gzip::Extension ".gz"; APT::Compressor::gzip::Binary "gzip"; APT::Compressor::gzip::Cost "2"; APT::Compressor::gzip::CompressArg ""; APT::Compressor::gzip::CompressArg:: "-9n"; APT::Compressor::gzip::UncompressArg ""; APT::Compressor::gzip::UncompressArg:: "-d"; APT::Compressor::bzip2 ""; APT::Compressor::bzip2::Name "bzip2"; APT::Compressor::bzip2::Extension ".bz2"; APT::Compressor::bzip2::Binary "bzip2"; APT::Compressor::bzip2::Cost "3"; APT::Compressor::bzip2::CompressArg ""; APT::Compressor::bzip2::CompressArg:: "-9"; APT::Compressor::bzip2::UncompressArg ""; APT::Compressor::bzip2::UncompressArg:: "-d"; APT::Compressor::xz ""; APT::Compressor::xz::Name "xz"; APT::Compressor::xz::Extension ".xz"; APT::Compressor::xz::Binary "xz"; APT::Compressor::xz::Cost "4"; APT::Compressor::xz::CompressArg ""; APT::Compressor::xz::CompressArg:: "-6"; APT::Compressor::xz::UncompressArg ""; APT::Compressor::xz::UncompressArg:: "-d"; APT::Compressor::lzma ""; APT::Compressor::lzma::Name "lzma"; APT::Compressor::lzma::Extension ".lzma"; APT::Compressor::lzma::Binary "xz"; APT::Compressor::lzma::Cost "5"; APT::Compressor::lzma::CompressArg ""; APT::Compressor::lzma::CompressArg:: "--format=lzma"; APT::Compressor::lzma::CompressArg:: "-9"; APT::Compressor::lzma::UncompressArg ""; APT::Compressor::lzma::UncompressArg:: "--format=lzma"; APT::Compressor::lzma::UncompressArg:: "-d"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::mirrors "mirrors/"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::solvers ""; Dir::Bin::solvers:: "/usr/lib/apt/solvers"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Bin::bzip2 "/bin/bzip2"; Dir::Bin::xz "/usr/bin/xz"; Dir::Bin::lzma "/usr/bin/xz"; Dir::Media ""; Dir::Media::MountPath "/media/cdrom"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.save$"; Dir::Ignore-Files-Silently:: "\.orig$"; Dir::Ignore-Files-Silently:: "\.distUpgrade$"; Acquire ""; Acquire::cdrom ""; Acquire::cdrom::mount "/media/cdrom"; Acquire::Languages ""; Acquire::Languages:: "en_US"; Acquire::Languages:: "en"; Acquire::Languages:: "none"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10"; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; DPkg::Tools ""; DPkg::Tools::Options ""; DPkg::Tools::Options::/usr/bin/apt-listchanges ""; DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2"; CommandLine ""; CommandLine::AsString "apt-config dump"; -- (no /etc/apt/preferences present) -- -- /etc/apt/sources.list -- # # deb cdrom:[Debian GNU/Linux 8.5.0 _Jessie_ - Official amd64 DVD Binary-1 20160604-15:35]/ jessie contrib main # deb cdrom:[Debian GNU/Linux 8.5.0 _Jessie_ - Official amd64 DVD Binary-1 20160604-15:35]/ jessie contrib main deb http://httpredir.debian.org/debian jessie main deb-src http://httpredir.debian.org/debian jessie main deb http://httpredir.debian.org/debian jessie-updates main deb-src http://httpredir.debian.org/debian jessie-updates main deb http://security.debian.org/ jessie/updates main contrib deb-src http://security.debian.org/ jessie/updates main contrib # jessie-updates, previously known as 'volatile' # A network mirror was not selected during install. The following entries # are provided as examples, but you should amend them as appropriate # for your mirror of choice. # # deb http://ftp.debian.org/debian/ jessie-updates main contrib # deb-src http://ftp.debian.org/debian/ jessie-updates main contrib*** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii debian-archive-keyring 2014.3 ii gnupg 1.4.18-7+deb8u1 ii libapt-pkg4.12 1.0.9.8.3 ii libc6 2.19-18+deb8u4 ii libgcc1 1:4.9.2-10 ii libstdc++6 4.9.2-10 apt recommends no packages. Versions of packages apt suggests: pn apt-doc <none> ii aptitude 0.6.11-1+b1 pn dpkg-dev <none> ii python-apt 0.9.3.12 -- no debconf information
--- End Message ---
--- Begin Message ---Source: apt Source-Version: 1.3~pre1 We believe that the bug you reported is fixed in the latest version of apt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julian Andres Klode <[email protected]> (supplier of updated apt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 07 Jul 2016 20:25:18 +0200 Source: apt Binary: apt libapt-pkg5.0 libapt-inst2.0 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https Architecture: source Version: 1.3~pre1 Distribution: unstable Urgency: medium Maintainer: APT Development Team <[email protected]> Changed-By: Julian Andres Klode <[email protected]> Description: apt - commandline package manager apt-doc - documentation for APT apt-transport-https - https download transport for APT apt-utils - package management related utility programs libapt-inst2.0 - deb package format runtime library libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst libapt-pkg-doc - documentation for APT development libapt-pkg5.0 - package management runtime library Closes: 420940 825216 827930 828011 828812 828908 829232 829651 Changes: apt (1.3~pre1) unstable; urgency=medium . Upload to unstable from the pub because Niels wanted it . [ David Kalnischkies ] * show right binary name in simulation notice (Closes: 825216) * imbue datetime parsing with C.UTF-8 locale (Closes: 828011) * imbue .diff/Index parsing with C.UTF-8 as well * close server if parsing of header field failed * add myself to Uploaders * eipp: implement version 0.1 of the protocol * eipp: provide the internal planer as an external one * eipp: make no difference between remove & purge * eipp: properly handle arch-specific provides * eipp: implement Immediate-Configuration flag * eipp: add Allow-Temporary-Remove-of-Essentials * eipp: rename stanza 'Install' to 'Unpack' * eipp: enable xz-compressed scenario logging * if conf unset, don't read / as conf/pref/sources dir * don't do atomic overrides with failed files (Closes: 828908) * if reading of autobit state failed, let write fail * write auto-bits before calling dpkg & again after if needed * protect only the latest same-source providers from autoremove * reinstalling local deb file is no downgrade * do not treat same-version local debs as downgrade * alias apt-key list to finger (Closes: 829232) * warn if apt-key is used in scripts/its output parsed * deprecate 'apt-key update' and no-op it in Debian * use +0000 instead of UTC by default as timezone in output * avoid 416 response teardown binding to null pointer * report write errors in EDSP/EIPP properly back to caller * EIPP/EDSP log can't be written is a warning, not an error * don't change owner/perms/times through file:// symlinks * report all instead of first error up the acquire chain * keep trying with next if connection to a SRV host failed . [ Zhou Mo ] * zh_CN.po: update simplified chinese translation . [ Julian Andres Klode ] * methods/ftp: Cope with weird PASV responses. Thanks to Lukasz Stelmach for the initial patch (Closes: #420940) * Fix buffer overflow in debListParser::VersionHash() (Closes: #828812) * cache: Bump minor version to 6 * indextargets: Check that cache could be built before using it (Closes: #829651) . [ Nicolas Le Cam ] * Use the ConditionACPower feature of systemd in the apt-daily service (Closes: #827930) * Add a apt suggests powermgmt-base Checksums-Sha1: 9439b5c447bd2ea5ebeb5aafe4421e62dbd5befc 2394 apt_1.3~pre1.dsc 2c9c63296cbf8ffdd0755016470c86a1cb222c37 2080144 apt_1.3~pre1.tar.xz Checksums-Sha256: f6629af660c31ddf05f2f2381c8e095697ef7775d7b41c2b98483bc010acf7f4 2394 apt_1.3~pre1.dsc 2ca1e437984be6d08e9b94b2ebd6d82c6da23fd95fa5fef35edfff2e5caa8a28 2080144 apt_1.3~pre1.tar.xz Files: 765b3f139ee37f9e32c5d4ccc2f10bb5 2394 admin important apt_1.3~pre1.dsc 54025ff12b3457ebf391cbbf9559d36f 2080144 admin important apt_1.3~pre1.tar.xz -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXfqHmAAoJENc8OeVlgLOG/8YP/2ej0Ga9T2G95h6l17gjpm4Y Xxeo7zZWcrjlAV+IptDwdZGh2OH2gY3qf+vVXaK0ZhR0ZpiLWZXS9lEvOIjzpyFD GAAAjQnTGlkSHo8XroimEfVb9r8vh6j2RsT3OKN0HsKSXp/B+CFXKIz656OKYbAT s7FteDfpe4hxeFk8tHFfHleCaOTXTy2KhvQ0i3PPMJi/lA+BuVwCm5V9olP7gGQL GJw+QGQsD00kDHPiWWtLG0x+d0NWOoByfa0Eg32sOl0/VF22PlDl4QVU7unu3sLw aGLQa3rbKShqVtAnztSJjgVzhPmUFyd3/7Na2pa7XBv66dc7WIl85a6+EUXUBOjU mOFbFEEJrK4ecGVZsZ/l3uc4s/NqT1C1Tjxd40oAZAl3VY1VrTvXKifMGSsNuG7g cSHTR9KzfcmZFQ7XvOZPYJ2yzLiGYL6OjWWgimzmiZftVM0ZjoLiZkoz+SxbMVTM 3901ehX3Vws9fNbMZRg9F2zrzzGcRpoSGtnTpgQcmuQlLhWPi4CKqnitRsgPmMVh 2dJIyxQ94uhVmGp2gtyaBAsS7iXRuWF1Cf/H/ovA9iRs0Rm+m+Utrq0syti50D1M bIToqcHwU8MH9x5AWUWa/mk2Q1n9e+ZCi73u1J1S3cU84VIbOcXuq0B2+zflqRjY RjX8pFX8vCGyIxWjTO1u =UcRb -----END PGP SIGNATURE-----
--- End Message ---
