On Tue, Jan 23, 2024 at 3:16 PM Guillem Jover <guil...@debian.org> wrote: > > Hi! > > On Tue, 2024-01-23 at 13:46:53 -0800, Joshua Hudson wrote: > > Package: dpkg > > Version: 1.21.22 > > Severity: important > > > On unpacking a custom .dpkg file with long symbolic links, I found a > > bunch of symbolic links ending in right, and one with copyright. The > > overrun made all the links exactly the same length; suggesting reuse > > of some kind of static buffer, but it's not clear if that's really > > the case. > > > > Making long link records an extra byte longer for the trailing null > > fixed the overrun and allowed the package to unpack correctly. > > Where those long name lengths exactly multiples of 512?
They were not. Must have been a 0 byte in the buffer after copyright. > > > Source for long link record length does not include trailing null: > > > > https://repo.or.cz/libtar.git/blob/HEAD:/lib/block.c#l294 > > > > I've stashed the offending .deb package but I'm not sure if I can > > get clearance to release it. > > Ack. I did not try to reproduce this yet because it was not obvious > exactly how to do that from the report, instead just inspected the > code for potential brokenness related to this, and I think I've fixed > this now, but as I've not tested it, could you instead try applying > the attached patch against dpkg and test with your package whether > this fixes the problem you've found? That patch fixed the bug. Knowing where the bug is, I can see how the bug works and explain why. I'm wondering if this was just a pending disaster for everybody or if there's some actual reason it doesn't trip on official packages.
