Package: apt
Version: 0.6.43.3
Severity: normal
Tags: patch
Hello,
The method pkgDPkgPM::Go in apt-pkg/deb/dpkgpm.cc contains the following
code:
char* list[4];
TokSplitString(':', line, list, 5);
Since the last argument to TokSplitString is the number of elements in
the list, the code can cause a buffer overflow. I suggest the attached
patch.
The bug has caused aptitude to segfault on my system under some rare
circumstances which I cannot quite pin down, unfortunately. I don't know
a reliable way to reproduce the segfault, but hope to convince you that
the current code is incorrect anyway. ;-)
Cheers,
Martin
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-1-amd64-k8
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages apt depends on:
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii libgcc1 1:4.1.0-1 GCC support library
ii libstdc++6 4.1.0-1 The GNU Standard C++ Library v3
Versions of packages apt recommends:
ii debian-archive-keyring 2006.01.18 GnuPG archive keys of the Debian a
-- no debconf information
--- apt-pkg/deb/dpkgpm.cc~ 2005-10-19 21:19:08.000000000 +0200
+++ apt-pkg/deb/dpkgpm.cc 2006-04-24 00:09:46.000000000 +0200
@@ -623,8 +623,8 @@
'status: conffile-prompt: conffile : 'current-conffile' 'new-conffile' useredited distedited
*/
- char* list[4];
- TokSplitString(':', line, list, 5);
+ char* list[5];
+ TokSplitString(':', line, list, sizeof(list)/sizeof(list[0]));
char *pkg = list[1];
char *action = _strstrip(list[2]);
