Package: dpkg Version: 1.21.22 Severity: important Dear Maintainer,
On unpacking a custom .dpkg file with long symbolic links, I found a bunch of symbolic links ending in right, and one with copyright. The overrun made all the links exactly the same length; suggesting reuse of some kind of static buffer, but it's not clear if that's really the case. Making long link records an extra byte longer for the trailing null fixed the overrun and allowed the package to unpack correctly. Source for long link record length does not include trailing null: https://repo.or.cz/libtar.git/blob/HEAD:/lib/block.c#l294 I've stashed the offending .deb package but I'm not sure if I can get clearance to release it. This is a potential security vulnerability due to the bug class, but I can'd find a plausible exploit pathway. -- Package-specific info: This system uses merged-usr-via-aliased-dirs, going behind dpkg's back, breaking its core assumptions. This can cause silent file overwrites and disappearances, and its general tools misbehavior. See <https://wiki.debian.org/Teams/Dpkg/FAQ#broken-usrmerge>. -- System Information: Debian Release: 12.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-16-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dpkg depends on: ii libbz2-1.0 1.0.8-5+b1 ii libc6 2.36-9+deb12u3 ii liblzma5 5.4.1-0.2 ii libmd0 1.0.4-2 ii libselinux1 3.4-1+b6 ii libzstd1 1.5.4+dfsg2-5 ii tar 1.34+dfsg-1.2 ii zlib1g 1:1.2.13.dfsg-1 dpkg recommends no packages. Versions of packages dpkg suggests: ii apt 2.6.1 pn debsig-verify <none> -- no debconf information
