Package: dpkg
Version: 1.20.5
Severity: normal
Tags: upstream
X-Debbugs-Cc:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I cannot reproduce this on a Debian binary package. Hardening flags like
FORTIFY_SOURCE may keep this from being an issue. I found this fooling
around with ASan:
$ ./dpkg --admindir='/var/lib/dpkg' -V apt
varbuf.c:99:3: runtime error: null pointer passed as argument 1, which is
declared to never be null
Here's the relevant bit of code with a check to diagnose:
void varbuf_add_buf(struct varbuf *v, const void *s, size_t size)
{
varbuf_grow(v, size);
+ if(v->buf + v->used == NULL) {
+ puts((size == 0) ? "size is zero" : "size is not zero");
+ }
memcpy(v->buf + v->used, s, size);
v->used += size;
}
This prints "size is zero", so maybe that's why this seems harmless:
memcpy() may not do anything and the same may go for adding 'size'.
- -- Package-specific info:
System tainted due to merged-usr-via-symlinks.
- -- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing'), (2, 'unstable'), (1, 'testing-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.8.0-2-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_USER, TAINT_WARN, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dpkg depends on:
ii libbz2-1.0 1.0.8-4
ii libc6 2.31-3
ii liblzma5 5.2.4-1+b1
ii libselinux1 3.1-2
ii tar 1.30+dfsg-7
ii zlib1g 1:1.2.11.dfsg-2
dpkg recommends no packages.
Versions of packages dpkg suggests:
ii apt 2.1.10
pn debsig-verify <none>
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQT287WtmxUhmhucNnhyvHFIwKstpwUCX3kADwAKCRByvHFIwKst
pwchAQDgoFTpjnnkcHbb6/KKL84JrmXebZR9YAKxmEkZ10Pq6gEAhqyXkMG3AVeq
I0LeSKIgP2NMNPAYXG/AsXynzvc5+wM=
=iKS8
-----END PGP SIGNATURE-----
