[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?

Joshua Rogers 1389135 at bugs.launchpad.net
Sat Nov 8 04:46:19 UTC 2014 

Fixed, my bad..

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3127

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1389135

Title:
  dpkg / dpkg-deb segfault -- possible format string bug/vuln?

Status in “dpkg” package in Ubuntu:
  New
Status in “dpkg” package in Debian:
  New

Bug description:
  When building a .deb file using dpkg-deb --build, if the 'control' file inside DEBIAN/ has a % in it, it will segfault.
  Example of control file:

  Package: backup
  Architecture: el%sion:-1
  Description: script


  Here's a gdb backtrace:

  (gdb) run --build ./
  Starting program: /root/srcs/dpkg/dpkg-1.16.1.2ubuntu7.5/dpkg-deb/dpkg-deb --build ./
  warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000

  Program received signal SIGSEGV, Segmentation fault.
  0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
  1630    vfprintf.c: No such file or directory.
  (gdb) bt
  #0  0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
  #1  0x00007ffff76670f2 in _IO_vsnprintf (
      string=0x7fffffffd560 "parsing file './/DEBIAN/control' near line 2 package 'backup:elel%sion:-1ion:-1':\n 'character `%' not allowed (only letters, digits and characters `-')' is not a valid architecture name: ",
      maxlen=<optimised out>, format=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at vsnprintf.c:120
  #2  0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
  #3  0x0000000000423fa7 in parse_warn (ps=0x7fffffffddc0, fmt=0x44a680 "'%s' is not a valid architecture name: %s") at parsehelp.c:75
  #4  0x000000000043b38c in f_architecture (pigp=0x7fffffffdbc0, pifp=0x7fffffffdc80, ps=0x7fffffffddc0, value=0x6651f0 "el%sion:-1", fip=0x448c40) at fields.c:189
  #5  0x000000000041eb65 in pkg_parse_field (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_obj=0x7fffffffde40) at parse.c:142
  #6  0x00000000004222e9 in parse_stanza (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_field=0x41e480 <pkg_parse_field>, parse_obj=0x7fffffffde40) at parse.c:478
  #7  0x0000000000422843 in parsedb (filename=0x665120 ".//DEBIAN/control", flags=3, donep=0x7fffffffdea0) at parse.c:547
  #8  0x0000000000404661 in check_new_pkg (dir=0x7fffffffe3e7 "./") at build.c:335
  #9  0x0000000000405274 in do_build (argv=0x7fffffffe198) at build.c:436
  #10 0x000000000040e566 in main (argc=3, argv=0x7fffffffe188) at main.c:206
  #11 0x00007ffff761576d in __libc_start_main (main=0x40e37a <main>, argc=3, ubp_av=0x7fffffffe178, init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe168) at libc-start.c:226
  #12 0x00000000004025a9 in _start ()
  (gdb) up 2
  #2  0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
  392       vsnprintf(buf, sizeof(buf), fmt, args);


  Unsure if it's a vulnerability or not. If it is, could I get a CVE-ID?

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions

More information about the foundations-bugs mailing list