tags 591312 patch
thanks
On Sun, Aug 01, 2010 at 22:51:20 (EDT), Philipp Kern wrote:
> Package: dpkg
> Version: 1.15.8
> Severity: critical
>
> dpkg_ar_member_put_header contains a buffer overflow that causes packages on
> armel to be empty as an result. This is entirely due to the calling
> convention
> due to the stack being corrupted. It seems that the outcome on other
> architectures is not so severe, but it broke autobuilding heavily on armel due
> to it generating broken packages *and* dpkg-deb succeeding. The packages were
> output onto fd 0 instead of fd 5 because the null byte was written into the
> ar_fd register.
>
> A patch is currently being tested.
This is my proposed patch. It has been tested by Loïc Minier in qemu and
seems to do the job:
diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c
index e33e78f..ba9c4d1 100644
--- a/lib/dpkg/ar.c
+++ b/lib/dpkg/ar.c
@@ -58,12 +58,15 @@ void
dpkg_ar_member_put_header(const char *ar_name, int ar_fd,
const char *name, size_t size)
{
- char header[sizeof(struct ar_hdr)];
+ /* +1 for the \0 that snprintf adds at the end of the string,
+ * and we don't want the \0 in the file */
+ char header[sizeof(struct ar_hdr)+1];
- sprintf(header, "%-16s%-12lu0 0 100644 %-10lu`\n",
- name, time(NULL), (unsigned long)size);
+ snprintf(header, sizeof(header),
+ "%-16s%-12lu0 0 100644 %-10lu`\n",
+ name, time(NULL), (unsigned long)size);
- if (write(ar_fd, header, sizeof(header)) < 0)
+ if (write(ar_fd, header, sizeof(struct ar_hdr)) < 0)
ohshite(_("unable to write file '%s'"), ar_name);
}
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
