Hi! On Mon, 2014-11-10 at 01:00:56 +1100, Joshua Rogers wrote: > On 08/11/14 06:47, Guillem Jover wrote: > > Nicely spotted! And thanks for the report, I've fixed it now locally > > and it will be included in the next 1.17.x release. I'll be preparing > > fixed packages for stable too.
> Could you provide a patch for this bug via email? Sure, attached the patch that I'll be using in principle for the stable update (being coordinated with the security team separately). BTW Jakub, did you find this in parallel, or simply relied the bug filed in Launchpad? Just to give proper attribution, and if the latter appreciated as much otherwise I'd not have noticed. Regards, Guillem
From 1e8665c7c01a5db54d057de89b18152af605d8b9 Mon Sep 17 00:00:00 2001 From: Guillem Jover <[email protected]> Date: Fri, 7 Nov 2014 20:49:26 +0100 Subject: [PATCH] libdpkg: Escape package and architecture on control file parsing warning The package name and architecture are injected into a string that is used as a format string. Because these are user controlled, we need to format-escape them so that they become inert. Regression introduced in commit 0b8652b226a7601dfd71471797d15168a7337242. Fixes: CVE-2014-8625 Closes: #768485 --- lib/dpkg/parsehelp.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/dpkg/parsehelp.c b/lib/dpkg/parsehelp.c index d9a574e..9e1d624 100644 --- a/lib/dpkg/parsehelp.c +++ b/lib/dpkg/parsehelp.c @@ -44,11 +44,14 @@ parse_error_msg(struct parsedb_state *ps, const char *fmt) str_escape_fmt(filename, ps->filename, sizeof(filename)); - if (ps->pkg && ps->pkg->set->name) + if (ps->pkg && ps->pkg->set->name) { + char pkgname[256]; + + str_escape_fmt(pkgname, pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), + sizeof(pkgname)); sprintf(msg, _("parsing file '%.255s' near line %d package '%.255s':\n" - " %.255s"), filename, ps->lno, - pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), fmt); - else + " %.255s"), filename, ps->lno, pkgname, fmt); + } else sprintf(msg, _("parsing file '%.255s' near line %d:\n" " %.255s"), filename, ps->lno, fmt); -- 2.1.3
