This was fixed before 1.6, so only xenial and trusty affected at most.
** Changed in: python-apt (Ubuntu)
Status: In Progress => Fix Released
** Also affects: python-apt (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: python-apt (Ubuntu Xenial)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python-apt in Ubuntu.
https://bugs.launchpad.net/bugs/1694702
Title:
off-by-one error when translating source records build depends
Status in python-apt package in Ubuntu:
Fix Released
Status in python-apt source package in Xenial:
Triaged
Bug description:
[Impact]
Out-of-bounds read in an array, causing segmentation fault
[Testcase]
On amd64:
python3-dbg -c 'import apt, apt_pkg; sr=apt_pkg.SourceRecords();
sr.lookup("dq"); print(sr.build_depends)'
crashes.
[Regression potential]
This is a simple off-by-one fix. There really should be no regressions, but
if there were, only for people using SourceRecords.build_depends - the list
could now be shorter (depending on memory).
diff --git a/python/pkgsrcrecords.cc b/python/pkgsrcrecords.cc
index 9ca21c5a..77b490cb 100644
--- a/python/pkgsrcrecords.cc
+++ b/python/pkgsrcrecords.cc
@@ -220,7 +220,7 @@ static PyObject *PkgSrcRecordsGetBuildDepends(PyObject
*Self,void*) {
bd[i].Version.c_str(), pkgCache::CompType(bd[i].Op));
PyList_Append(OrGroup, v);
Py_DECREF(v);
- if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i ==
bd.size())
+ if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i + 1
>= bd.size())
break;
i++;
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1694702/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
