This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=5356621172d669d8f62e7e746a6c7a11345aec4e The following commit(s) were added to refs/heads/main by this push: new 535662117 dpkg-deb: Fix buffer overflow on long directory names with old deb formats 535662117 is described below commit 5356621172d669d8f62e7e746a6c7a11345aec4e (HEAD -> main) Author: Guillem Jover <[email protected]> AuthorDate: Tue Jan 3 23:29:05 2023 +0100 dpkg-deb: Fix buffer overflow on long directory names with old deb formats The handling for deb 0.x formats that relocates files around once extracted was using a buffer with a hardcoded size, not taking into account the length of the directory which would overflow it. Switch to use a dynamically allocated buffer to handle any destination directory length. Reported-by: Georgy Yakovlev <[email protected]> --- src/deb/extract.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/deb/extract.c b/src/deb/extract.c index a09853962..6466fa6f2 100644 --- a/src/deb/extract.c +++ b/src/deb/extract.c @@ -53,15 +53,16 @@ static void movecontrolfiles(const char *dir, const char *thing) { - char buf[200]; + char *cmd; pid_t pid; - sprintf(buf, "mv %s/%s/* %s/ && rmdir %s/%s", dir, thing, dir, dir, thing); + cmd = str_fmt("mv %s/%s/* %s/ && rmdir %s/%s", dir, thing, dir, dir, thing); pid = subproc_fork(); if (pid == 0) { - command_shell(buf, _("shell command to move files")); + command_shell(cmd, _("shell command to move files")); } subproc_reap(pid, _("shell command to move files"), 0); + free(cmd); } static void DPKG_ATTR_NORET -- Dpkg.Org's dpkg
