[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
Marc Deslauriers
marc.deslauriers at canonical.com
Fri Nov 28 15:07:41 UTC 2014
** Changed in: dpkg (Ubuntu)
Importance: Medium => Low
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1389135
Title:
dpkg / dpkg-deb segfault -- possible format string bug/vuln?
Status in dpkg package in Ubuntu:
Triaged
Status in dpkg package in Debian:
Fix Committed
Bug description:
When building a .deb file using dpkg-deb --build, if the 'control' file inside DEBIAN/ has a % in it, it will segfault.
Example of control file:
Package: backup
Architecture: el%sion:-1
Description: script
Here's a gdb backtrace:
(gdb) run --build ./
Starting program: /root/srcs/dpkg/dpkg-1.16.1.2ubuntu7.5/dpkg-deb/dpkg-deb --build ./
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
1630 vfprintf.c: No such file or directory.
(gdb) bt
#0 0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
#1 0x00007ffff76670f2 in _IO_vsnprintf (
string=0x7fffffffd560 "parsing file './/DEBIAN/control' near line 2 package 'backup:elel%sion:-1ion:-1':\n 'character `%' not allowed (only letters, digits and characters `-')' is not a valid architecture name: ",
maxlen=<optimised out>, format=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at vsnprintf.c:120
#2 0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
#3 0x0000000000423fa7 in parse_warn (ps=0x7fffffffddc0, fmt=0x44a680 "'%s' is not a valid architecture name: %s") at parsehelp.c:75
#4 0x000000000043b38c in f_architecture (pigp=0x7fffffffdbc0, pifp=0x7fffffffdc80, ps=0x7fffffffddc0, value=0x6651f0 "el%sion:-1", fip=0x448c40) at fields.c:189
#5 0x000000000041eb65 in pkg_parse_field (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_obj=0x7fffffffde40) at parse.c:142
#6 0x00000000004222e9 in parse_stanza (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_field=0x41e480 <pkg_parse_field>, parse_obj=0x7fffffffde40) at parse.c:478
#7 0x0000000000422843 in parsedb (filename=0x665120 ".//DEBIAN/control", flags=3, donep=0x7fffffffdea0) at parse.c:547
#8 0x0000000000404661 in check_new_pkg (dir=0x7fffffffe3e7 "./") at build.c:335
#9 0x0000000000405274 in do_build (argv=0x7fffffffe198) at build.c:436
#10 0x000000000040e566 in main (argc=3, argv=0x7fffffffe188) at main.c:206
#11 0x00007ffff761576d in __libc_start_main (main=0x40e37a <main>, argc=3, ubp_av=0x7fffffffe178, init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe168) at libc-start.c:226
#12 0x00000000004025a9 in _start ()
(gdb) up 2
#2 0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
392 vsnprintf(buf, sizeof(buf), fmt, args);
Unsure if it's a vulnerability or not. If it is, could I get a CVE-ID?
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions
More information about the foundations-bugs
mailing list