Your message dated Wed, 24 Jan 2024 12:49:23 +0000
with message-id <[email protected]>
and subject line Bug#1061404: fixed in dpkg 1.22.4
has caused the Debian Bug report #1061404,
regarding dpkg read buffer overrun unpacking K (long symbolic) records in
data.tar
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1061404: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061404
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg
Version: 1.21.22
Severity: important
Dear Maintainer,
On unpacking a custom .dpkg file with long symbolic links, I found a
bunch of symbolic links ending in right, and one with copyright. The
overrun made all the links exactly the same length; suggesting reuse
of some kind of static buffer, but it's not clear if that's really
the case.
Making long link records an extra byte longer for the trailing null
fixed the overrun and allowed the package to unpack correctly.
Source for long link record length does not include trailing null:
https://repo.or.cz/libtar.git/blob/HEAD:/lib/block.c#l294
I've stashed the offending .deb package but I'm not sure if I can
get clearance to release it.
This is a potential security vulnerability due to the bug class,
but I can'd find a plausible exploit pathway.
-- Package-specific info:
This system uses merged-usr-via-aliased-dirs, going behind dpkg's
back, breaking its core assumptions. This can cause silent file
overwrites and disappearances, and its general tools misbehavior.
See <https://wiki.debian.org/Teams/Dpkg/FAQ#broken-usrmerge>.
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-16-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dpkg depends on:
ii libbz2-1.0 1.0.8-5+b1
ii libc6 2.36-9+deb12u3
ii liblzma5 5.4.1-0.2
ii libmd0 1.0.4-2
ii libselinux1 3.4-1+b6
ii libzstd1 1.5.4+dfsg2-5
ii tar 1.34+dfsg-1.2
ii zlib1g 1:1.2.13.dfsg-1
dpkg recommends no packages.
Versions of packages dpkg suggests:
ii apt 2.6.1
pn debsig-verify <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: dpkg
Source-Version: 1.22.4
Done: Guillem Jover <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Jan 2024 13:12:31 +0100
Source: dpkg
Architecture: source
Version: 1.22.4
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Closes: 1061404
Changes:
dpkg (1.22.4) unstable; urgency=medium
.
[ Guillem Jover ]
* Code internals:
- dpkg: Rename r variable for readlink() return value to symlink_len.
- dpkg: Rename r variable for fd_read() return value to n.
- dpkg-deb: Rename r variable for fd_read() return value to nread.
- dpkg-deb: Rename r variables for fd_read() call chain return value to rc.
- dpkg-split: Rename r variable for strtoimax() return value to ret.
- libdpkg: Rename r variable for path_quote_filename() return to ret.
- libdpkg: Rename r variable for fclose() return value to rc.
- libdpkg: Rename r variables for printf()-like return values to n.
- libdpkg: Handle tar long GNU names and links not being NUL terminated.
Closes: #1061404
- perl: Use qw() when importing symbols.
- dpkg-gensymbols: Move foreach inlined array elements into a list.
- dpkg-scansources: Fix newline breaks for ternary operators.
* Packaging:
- Update copyright years.
Checksums-Sha1:
4a607ee6741ae3d42ab8497cb2680c3353b47f84 3041 dpkg_1.22.4.dsc
29a88b483582b32af3dc083a0c4ad270cc876153 5623080 dpkg_1.22.4.tar.xz
fab30fd085ffd6c730ee2c1e8ca4a8ba43f2ec47 8137 dpkg_1.22.4_amd64.buildinfo
Checksums-Sha256:
ee53c49c12d0f7e7616f0143fdbd6f587ed68c5241a739e9224302fa165e2f95 3041
dpkg_1.22.4.dsc
40818c174e6074a190e0013fa0ea8b04db743b8e5e7a7818239510fbb4e6eb1d 5623080
dpkg_1.22.4.tar.xz
0dc629b0318b2ff9e8ab4c24631d104d304d7fd86e71229786833ed34bdb8742 8137
dpkg_1.22.4_amd64.buildinfo
Files:
496b3b9f082621261b045677f1be5029 3041 admin required dpkg_1.22.4.dsc
837b82b5cd190f7611358cc8c1f87405 5623080 admin required dpkg_1.22.4.tar.xz
8e36136b9fd687ee7467f3815e0c3faf 8137 admin required
dpkg_1.22.4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAmWxAkQACgkQuXK/PqSu
V6P2gA//ersWZeiu+drK27MzAIUE7fhaQJR26QSHToR0gMCRujSjU5F8lerMDOmp
vr2sFHoYU7FZOT1lPQZqzU2AbYNtYk1mVljfq6DKFtw/yg+ipEdFHVHY17T2PiVd
hmTf6lLS0OuW8mzuJ8MMPV0xWKfgpLGpVMwXdZbTUtuWrU8vw1oEVUbNy5IRdOXX
aKgKGW+k7m+4kQCqXgmdc+d7ipGz8yLJtXW6UvyAIHWAflCUMvsCoe5Ap6Vyuyid
Ftk/6q5ki47+H6bIg8JPIkm1ld4MgRApS3wd1utnz1kGnUOG0UTXn51b2yKacrra
oFVskCf1DCkOJ1cu5m+QvCQvsAc5kwwIHxbS6Zac446DrQtDgaWEz7T4DzmBJ/wH
iZDyJiaNoYcqU2MzYU1wMpTQlD15QjrpDQ+KOk0VzwKMLfY/AmoDCy0e1UiDRQvI
p2TawX9QYzBzeseGXD19A8z8/ZANdEaX/5GlGY7NTsg8G4m/8VHRksZasjz3ccZI
71TewVykKbihIWU7iOCTB9FRE4jNLdWDqamOeUFSH0DhAkdfuT44QTyO7eiN77DO
rh2RSA0mywGcC8yHzdPghwOb5X7YKMefmhD95DSTEVaACW2jH1EkryIJQ3OAOIJ1
gK2722ivpGPcfqpD4Dc9b4POd8DvlEQp2yeM+A4ohY4XgxOZUUs=
=amt9
-----END PGP SIGNATURE-----
--- End Message ---
