This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=b854bd6029ef632701af1d4411c6f81e265af884 commit b854bd6029ef632701af1d4411c6f81e265af884 Author: Guillem Jover <[email protected]> AuthorDate: Sun May 19 02:24:51 2019 +0200 dpkg-deb: Validate ar member magic before normalizing any of its fields If the header is not valid, we should not try to normalize or even consider it is in any sane state. --- debian/changelog | 1 + dpkg-deb/extract.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2a0615f36..66736acdd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,7 @@ dpkg (1.19.7) UNRELEASED; urgency=medium * dpkg: Split the trigger dependtry into two, the second of which will be the one checking trigger cycles when deferring trigger processing due to unsatisfiable dependencies. Closes: #928429 + * dpkg-deb: Validate ar member magic before normalizing any of its fields. [ Updated programs translations ] * Catalan (Guillem Jover). diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c index dba15dedb..ff31ccc20 100644 --- a/dpkg-deb/extract.c +++ b/dpkg-deb/extract.c @@ -137,10 +137,11 @@ extracthalf(const char *debar, const char *dir, if (r != sizeof(arh)) read_fail(r, debar, _("archive member header")); - dpkg_ar_normalize_name(&arh); - if (dpkg_ar_member_is_illegal(&arh)) ohshit(_("file '%.250s' is corrupt - bad archive header magic"), debar); + + dpkg_ar_normalize_name(&arh); + memberlen = dpkg_ar_member_get_size(ar, &arh); if (!header_done) { char *infobuf; -- Dpkg.Org's dpkg
