[ubuntu/jammy-proposed] apt 2.4.14 (Accepted)

Julian Andres Klode juliank at ubuntu.com
Fri Mar 28 20:50:39 UTC 2025 

apt (2.4.14) jammy; urgency=medium

  * Fix buffer overflow, stack overflow, exponential complexity in
    apt-ftparchive Contents generation (LP: #2083697)
    - ftparchive: Mystrdup: Add safety check and bump buffer size
    - ftparchive: contents: Avoid exponential complexity and overflows
    - test framework: Improve valgrind support
    - test: Check that apt-ftparchive handles deep paths
    - increase valgrind cleanliness to make the tests pass
      - pkgcachegen: Use placement new to construct header
      - Workaround valgrind "invalid read" in ExtractTar::Go by moving large
        buffer from stack to heap. The large buffer triggered some bugs in
        valgrind stack clash protection handling.

Date: Tue, 22 Oct 2024 15:09:58 +0200
Changed-By: Julian Andres Klode <juliank at ubuntu.com>
Maintainer: APT Development Team <deity at lists.debian.org>
https://launchpad.net/ubuntu/+source/apt/2.4.14
-------------- next part --------------
Format: 1.8
Date: Tue, 22 Oct 2024 15:09:58 +0200
Source: apt
Built-For-Profiles: noudeb
Architecture: source
Version: 2.4.14
Distribution: jammy
Urgency: medium
Maintainer: APT Development Team <deity at lists.debian.org>
Changed-By: Julian Andres Klode <juliank at ubuntu.com>
Launchpad-Bugs-Fixed: 2083697
Changes:
 apt (2.4.14) jammy; urgency=medium
 .
   * Fix buffer overflow, stack overflow, exponential complexity in
     apt-ftparchive Contents generation (LP: #2083697)
     - ftparchive: Mystrdup: Add safety check and bump buffer size
     - ftparchive: contents: Avoid exponential complexity and overflows
     - test framework: Improve valgrind support
     - test: Check that apt-ftparchive handles deep paths
     - increase valgrind cleanliness to make the tests pass
       - pkgcachegen: Use placement new to construct header
       - Workaround valgrind "invalid read" in ExtractTar::Go by moving large
         buffer from stack to heap. The large buffer triggered some bugs in
         valgrind stack clash protection handling.
Checksums-Sha1:
 2c514fc61289242e3ea261e6c3f1d3845be374c9 2801 apt_2.4.14.dsc
 76b54532347feef2efd7f4cb66b49092cc79dd22 2323176 apt_2.4.14.tar.xz
 aa95c008dc0a1dfb1e1f9f7411046c2a66d7c307 9071 apt_2.4.14_source.buildinfo
Checksums-Sha256:
 317040c4ab15f20cc77460126fd78745814a81d73a6c37d0559876977a7dfe35 2801 apt_2.4.14.dsc
 8d1b2748a6b5c99c9fd56dfadde280b85616dd67d22f7ca44f86225fa688a98c 2323176 apt_2.4.14.tar.xz
 5a5b1e1b57992087c85909987d3a4fa73620cb77cd295c854d26c189e6059734 9071 apt_2.4.14_source.buildinfo
Files:
 2ccab4da1895b715b53078afee8e9d1d 2801 admin important apt_2.4.14.dsc
 b5fa856158a78694d8444cf5dd1dc3f9 2323176 admin important apt_2.4.14.tar.xz
 b7ffadedb42931fde9880e3442c54f46 9071 admin important apt_2.4.14_source.buildinfo

More information about the jammy-changes mailing list