Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, I'd like to update APT in jessie from 1.0.9.8.2 to 1.0.9.8.3 to fix a stack buffer overflow the the dependency resolver, backported from apt 1.2.6. A compressed complete diff is attached. The relevant part is reproduced below, it consists of the commits: [1] https://anonscm.debian.org/cgit/apt/apt.git/commit/?h=debian/jessie&id=2f34b45174906024fa87ee0d51d2e13d4770f465 [2] https://anonscm.debian.org/cgit/apt/apt.git/commit/?h=debian/jessie&id=950f68a3459f47aa7215ce2bd493ca9354194300 [1] being the original commit cherry-picked, [2] being the changes needed to make that run in jessie with a pre-C++11 APT. diff -Nru apt-1.0.9.8.2/apt-pkg/algorithms.cc apt-1.0.9.8.3/apt-pkg/algorithms.cc --- apt-1.0.9.8.2/apt-pkg/algorithms.cc 2015-09-15 17:08:27.000000000 +0200 +++ apt-1.0.9.8.3/apt-pkg/algorithms.cc 2016-03-12 14:14:29.000000000 +0100 @@ -735,6 +735,7 @@ changing a breaks c) */ bool Change = true; bool const TryFixByInstall = _config->FindB("pkgProblemResolver::FixByInstall", true); + std::vector<PackageKill> KillList; for (int Counter = 0; Counter != 10 && Change == true; Counter++) { Change = false; @@ -777,12 +778,12 @@ clog << "Investigating (" << Counter << ") " << I << endl; // Isolate the problem dependency - PackageKill KillList[100]; - PackageKill *LEnd = KillList; bool InOr = false; pkgCache::DepIterator Start; pkgCache::DepIterator End; - PackageKill *OldEnd = LEnd; + size_t OldSize = 0; + + KillList.resize(0); enum {OrRemove,OrKeep} OrOp = OrRemove; for (pkgCache::DepIterator D = Cache[I].InstVerIter(Cache).DependsList(); @@ -792,7 +793,7 @@ if (Start == End) { // Decide what to do - if (InOr == true && OldEnd == LEnd) + if (InOr == true && OldSize == KillList.size()) { if (OrOp == OrRemove) { @@ -826,7 +827,7 @@ continue; InOr = Start != End; - OldEnd = LEnd; + OldSize = KillList.size(); } else { @@ -989,10 +990,8 @@ if (Debug == true) clog << " Added " << Pkg.FullName(false) << " to the remove list" << endl; - - LEnd->Pkg = Pkg; - LEnd->Dep = End; - LEnd++; + + KillList.push_back((PackageKill) {Pkg, End}); if (Start.IsNegative() == false) break; @@ -1042,7 +1041,7 @@ // Apply the kill list now if (Cache[I].InstallVer != 0) { - for (PackageKill *J = KillList; J != LEnd; J++) + for (std::vector<PackageKill>::const_iterator J = KillList.begin(); J != KillList.end(); J++) { Change = true; if ((Cache[J->Dep] & pkgDepCache::DepGNow) == 0) -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (900, 'unstable'), (500, 'unstable-debug'), (500, 'testing'), (100, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) -- Debian Developer - deb.li/jak | jak-linux.org - free software dev When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to (`inline'). Thank you.
apt_1.0.9.8.2_1.0.9.8.3.diff.gz
Description: application/gzip
