[Bug 1389135] Re: dpkg / dpkg-deb segfault -- possible format string bug/vuln?
Joshua Rogers
MegaManSec at gmail.com
Tue Nov 4 19:10:33 UTC 2014
I don't have the time/skill to try, but I'm guessing that if you can
somehow actually build the package with that set as the architecture,
unpacking the .deb file will also be vulnerable, which would defintley
be a security-related bug.
My guess is that it _does_ exist in the unpacking phase too, since the
bug seems to be triggered in lib/dpkg/parsehelp.c.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1389135
Title:
dpkg / dpkg-deb segfault -- possible format string bug/vuln?
Status in “dpkg” package in Ubuntu:
New
Bug description:
When building a .deb file using dpkg-deb --build, if the 'control' file inside DEBIAN/ has a % in it, it will segfault.
Example of control file:
Package: backup
Architecture: el%sion:-1
Description: script
Here's a gdb backtrace:
(gdb) run --build ./
Starting program: /root/srcs/dpkg/dpkg-1.16.1.2ubuntu7.5/dpkg-deb/dpkg-deb --build ./
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
1630 vfprintf.c: No such file or directory.
(gdb) bt
#0 0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
#1 0x00007ffff76670f2 in _IO_vsnprintf (
string=0x7fffffffd560 "parsing file './/DEBIAN/control' near line 2 package 'backup:elel%sion:-1ion:-1':\n 'character `%' not allowed (only letters, digits and characters `-')' is not a valid architecture name: ",
maxlen=<optimised out>, format=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at vsnprintf.c:120
#2 0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
#3 0x0000000000423fa7 in parse_warn (ps=0x7fffffffddc0, fmt=0x44a680 "'%s' is not a valid architecture name: %s") at parsehelp.c:75
#4 0x000000000043b38c in f_architecture (pigp=0x7fffffffdbc0, pifp=0x7fffffffdc80, ps=0x7fffffffddc0, value=0x6651f0 "el%sion:-1", fip=0x448c40) at fields.c:189
#5 0x000000000041eb65 in pkg_parse_field (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_obj=0x7fffffffde40) at parse.c:142
#6 0x00000000004222e9 in parse_stanza (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_field=0x41e480 <pkg_parse_field>, parse_obj=0x7fffffffde40) at parse.c:478
#7 0x0000000000422843 in parsedb (filename=0x665120 ".//DEBIAN/control", flags=3, donep=0x7fffffffdea0) at parse.c:547
#8 0x0000000000404661 in check_new_pkg (dir=0x7fffffffe3e7 "./") at build.c:335
#9 0x0000000000405274 in do_build (argv=0x7fffffffe198) at build.c:436
#10 0x000000000040e566 in main (argc=3, argv=0x7fffffffe188) at main.c:206
#11 0x00007ffff761576d in __libc_start_main (main=0x40e37a <main>, argc=3, ubp_av=0x7fffffffe178, init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe168) at libc-start.c:226
#12 0x00000000004025a9 in _start ()
(gdb) up 2
#2 0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
392 vsnprintf(buf, sizeof(buf), fmt, args);
Unsure if it's a vulnerability or not. If it is, could I get a CVE-ID?
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135/+subscriptions
More information about the foundations-bugs
mailing list