Package: dpkg Version: 1.17.22-1 Tags: bug
Hi, Using AddressSanitizer I have found an Out-of-Bounds(?) vulnerability in dpkg. The vulnerable code is in lib/dpkg/parse.c, on line 135. 133: for (fip = fieldinfos, ip = fs->fieldencountered; fip->name; fip++, ip++) 134: if (strncasecmp(fip->name, fs->fieldstart, fs->fieldlen) == 0 && 135: fip->name[fs->fieldlen] == '\0') 136: break; I'm not familiar with AddressSanitizer's use of wording(It says 'global-buffer-overflow', but https://code.google.com/p/address-sanitizer/wiki/ExampleGlobalOutOfBounds says OutofBounds) when it comes to vulns, so I'll just paste the results: > ================================================================= > ==12299==ERROR: AddressSanitizer: global-buffer-overflow on address > 0x000000483a4d at pc 0x43cd9d bp 0x7fff3d4e42d0 sp 0x7fff3d4e42c8 > READ of size 1 at 0x000000483a4d thread T0 > #0 0x43cd9c in pkg_parse_field ../../../lib/dpkg/parse.c:135 > #1 0x43cd9c in parse_stanza ../../../lib/dpkg/parse.c:707 > #2 0x43cd9c in parsedb_parse ../../../lib/dpkg/parse.c:781 > #3 0x43def6 in parsedb ../../../lib/dpkg/parse.c:831 > #4 0x407be9 in check_new_pkg ../../dpkg-deb/build.c:347 > #5 0x407be9 in do_build ../../dpkg-deb/build.c:441 > #6 0x4055e7 in main ../../dpkg-deb/main.c:272 > #7 0x7fc088b2876c in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) > #8 0x407454 (/root/dpkg/build-tree/dpkg-deb/dpkg-deb+0x407454) > > 0x000000483a4d is located 51 bytes to the left of global variable > '*.LC72' from '../../../lib/dpkg/parse.c' (0x483a80) of size 13 > '*.LC72' is ascii string 'Architecture' > 0x000000483a4d is located 8 bytes to the right of global variable > '*.LC71' from '../../../lib/dpkg/parse.c' (0x483a40) of size 5 > '*.LC71' is ascii string 'Bugs' > SUMMARY: AddressSanitizer: global-buffer-overflow > ../../../lib/dpkg/parse.c:135 pkg_parse_field > Shadow bytes around the buggy address: > 0x0000800886f0: 00 00 01 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 > 0x000080088700: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 > 0x000080088710: 00 00 00 00 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 > 0x000080088720: 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 > 0x000080088730: 00 07 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 > =>0x000080088740: 00 03 f9 f9 f9 f9 f9 f9 05[f9]f9 f9 f9 f9 f9 f9 > 0x000080088750: 00 05 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 > 0x000080088760: 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 > 0x000080088770: 00 07 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 > 0x000080088780: 00 01 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 > 0x000080088790: 00 04 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 Here's a base64 of the control file(base64'd due to the \00's in it): CkJ1Z3MAAW5lYmJ1Z3M6Ly9idWd7LmRlYmlhbi5vcmcKSG9tZXBhczovL3dpa2kuZGViAAAAIG9y Zy9UZWFtcy9EcH9nClZjcy1Ccm93c2VyOiBodHT//zovL2Fub25zY20uZGViaWFuLm9yZy9jZ2lZ L2Rwa2cvZHBrZy5naXQKVmNzLUdpdDogZ2l0Oi8vYW5vbnNjbS5kZWJpYW4uf0Jyb3dzZXIvZHBr Zy5naXQaU3RhbmRhcmRzLVZlcnNpb246IOgDAAA2CkJ1aWxkLURkcGVuZHM6IGRlYmhlbHBlciAo Pj0gNyksIHBrZy1j725maWcsIGZsZXgK Thanks, -- -- Joshua Rogers <https://internot.info/>
signature.asc
Description: OpenPGP digital signature
