[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?

Joshua Rogers MegaManSec at gmail.com
Tue Nov 4 19:10:33 UTC 2014


I don't have the time/skill to try, but I'm guessing that if you can
somehow actually build the package with that set as the architecture,
unpacking the .deb file will also be vulnerable, which would defintley
be a security-related bug.

My guess is that it _does_ exist in the unpacking phase too, since the
bug seems to be triggered in lib/dpkg/parsehelp.c.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1389135

Title:
  dpkg / dpkg-deb segfault -- possible format string bug/vuln?

Status in “dpkg” package in Ubuntu:
  New

Bug description:
  When building a .deb file using dpkg-deb --build, if the 'control' file inside DEBIAN/ has a % in it, it will segfault.
  Example of control file:

  Package: backup
  Architecture: el%sion:-1
  Description: script


  Here's a gdb backtrace:

  (gdb) run --build ./
  Starting program: /root/srcs/dpkg/dpkg-1.16.1.2ubuntu7.5/dpkg-deb/dpkg-deb --build ./
  warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000

  Program received signal SIGSEGV, Segmentation fault.
  0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
  1630    vfprintf.c: No such file or directory.
  (gdb) bt
  #0  0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
  #1  0x00007ffff76670f2 in _IO_vsnprintf (
      string=0x7fffffffd560 "parsing file './/DEBIAN/control' near line 2 package 'backup:elel%sion:-1ion:-1':\n 'character `%' not allowed (only letters, digits and characters `-')' is not a valid architecture name: ",
      maxlen=<optimised out>, format=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at vsnprintf.c:120
  #2  0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
  #3  0x0000000000423fa7 in parse_warn (ps=0x7fffffffddc0, fmt=0x44a680 "'%s' is not a valid architecture name: %s") at parsehelp.c:75
  #4  0x000000000043b38c in f_architecture (pigp=0x7fffffffdbc0, pifp=0x7fffffffdc80, ps=0x7fffffffddc0, value=0x6651f0 "el%sion:-1", fip=0x448c40) at fields.c:189
  #5  0x000000000041eb65 in pkg_parse_field (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_obj=0x7fffffffde40) at parse.c:142
  #6  0x00000000004222e9 in parse_stanza (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_field=0x41e480 <pkg_parse_field>, parse_obj=0x7fffffffde40) at parse.c:478
  #7  0x0000000000422843 in parsedb (filename=0x665120 ".//DEBIAN/control", flags=3, donep=0x7fffffffdea0) at parse.c:547
  #8  0x0000000000404661 in check_new_pkg (dir=0x7fffffffe3e7 "./") at build.c:335
  #9  0x0000000000405274 in do_build (argv=0x7fffffffe198) at build.c:436
  #10 0x000000000040e566 in main (argc=3, argv=0x7fffffffe188) at main.c:206
  #11 0x00007ffff761576d in __libc_start_main (main=0x40e37a <main>, argc=3, ubp_av=0x7fffffffe178, init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe168) at libc-start.c:226
  #12 0x00000000004025a9 in _start ()
  (gdb) up 2
  #2  0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
  392       vsnprintf(buf, sizeof(buf), fmt, args);


  Unsure if it's a vulnerability or not. If it is, could I get a CVE-ID?

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions



More information about the foundations-bugs mailing list