Bug#798324: marked as done (dpkg-deb: Fix off-by-one write access on versionbuf variable)

Tue, 22 Dec 2015 13:51:54 -0800 

Your message dated Tue, 22 Dec 2015 21:48:15 +0000
with message-id <[email protected]>
and subject line Bug#798324: fixed in dpkg 1.16.17
has caused the Debian Bug report #798324,
regarding dpkg-deb: Fix off-by-one write access on versionbuf variable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
798324: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798324
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: dpkg
Version: 1.18.2
Severity: normal
Tags: patch

The following was reported by Jacek Wielemborek:

----- Begin forwarded message -----

Dear Maintainer,

I built dpkg with afl-gcc and AFL_USE_ASAN=1. Here's the base64-encoded
 .deb file it generated:

ITxhcmNoPopkZWJpYW4tYmluYXJ5ICAgMTQ0MTIxMTQ1NiAgMCAgICAgMCAgICAgMTAwNjQ0ICA0
ICAgICAgICAgYAoyLjAKY29udHJvbC50YXIuZ3ogIDE0NDEyMTE0NTYgIDAgICAgIDAgICAgIDEw
MDY0NCAgNDc1ICAgICAgIGAKH4sIAAAAAAACA+3RS4vbMBAAYJ/1K+bWBBK/uo6paZcWUmgpC4GE
3rXWJBarSEaSN00P/e1V/Ng+oO0ppYX5sLEsyTNjTZxEV5cGZVH0z+DnZz/O8qLMVnme9fNlmRYR
FNFf0DnPLUBkjfG/2/en9f9UnNRGe2vUlfu/urn5Vf+ztMh/7H+WPU9XEaTU/6vb8PqBH7CC9uwb
o5f4iR9bhY5tTWfrb/MC97xT3rGPaJ00uoI8LuMXy4y9sXUjPda+s2E7V4rdcal9uNFWcMe9byR3
8EEZh/BSmAfzWuC95Do29nDL3uvQAKVQLLfycwiwYmtsUQs3pYbZ7asp2XwxTob3p1K/3/Blzrah
lL7AYSfbWGms9OcKTHtZ4Iq9M0ds+79uvG+rJDmdTvGw/VJUEkpwtZXtEOcpz95Y8A3CZqhLcX3o
QhSYjYcDj8PZzBm8Hb9ZwBqPxgHXAnbGqCHIECCGXYPhTLhF2MtLAqlr1QkUYcD6TF3rvEV+nFIK
Gd7lfXcpLGYQrl0jHbRDEyEMOYj++FDX52l+AadG1s244iAEWvcdeOZgLJ1NGcZfgFndWYvaqzM8
hrOdxywihBBCCCGEEEIIIYQQQgghhBBCCCH/oK+zNHmVACgAAAo=

And here's the crash:

root@1442a2c3a089:~/fuzz/dpkg/o/crashes# dpkg --info
id\:000000\,sig\:06\,src\:000000\,op\:flip1\,pos\:7
=================================================================
==11286==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffbdcdf338 at pc 0x00000040cf49 bp 0x7fffbdcdef70 sp 0x7fffbdcdef68
WRITE of size 1 at 0x7fffbdcdf338 thread T0
    #0 0x40cf48  (/usr/bin/dpkg-deb+0x40cf48)
    #1 0x410dfe  (/usr/bin/dpkg-deb+0x410dfe)
    #2 0x4056e2  (/usr/bin/dpkg-deb+0x4056e2)
    #3 0x7f38390b8b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #4 0x4074ca  (/usr/bin/dpkg-deb+0x4074ca)

Address 0x7fffbdcdf338 is located in stack of thread T0 at offset 872 in
frame
    #0 0x40b4bf  (/usr/bin/dpkg-deb+0x40b4bf)

  This frame has 13 object(s):
    [32, 33) 'nlc'
    [96, 100) 'dummy'
    [160, 168) 'version'
    [224, 232) 'ctrllennum'
    [288, 304) 'err'
    [352, 384) 'cmd'
    [416, 424) 'p1'
    [480, 488) 'p2'
    [544, 604) 'arh'
    [640, 784) 'stab'
    [832, 872) 'versionbuf' <== Memory access at offset 872 overflows
this variable
    [928, 968) 'ctrllenbuf'
    [1024, 1224) 'buf'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x100077b93e10: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e20: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 f4
  0x100077b93e30: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e40: 00 00 00 00 00 04 f2 f2 f2 f2 00 00 00 00 00 00
  0x100077b93e50: 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4 f2 f2
=>0x100077b93e60: f2 f2 00 00 00 00 00[f4]f4 f4 f2 f2 f2 f2 00 00
  0x100077b93e70: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
  0x100077b93e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077b93e90: 00 00 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00
  0x100077b93ea0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
  0x100077b93eb0: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11286==ABORTING

To be on the safe side, I'm reporting it as a critical security vuln
because this is a memory error in the core component. Please contact me
on [email protected].

----- End forwarded message -----

Quoting Guillem:

> The .deb is an ar archive w/o the '\n' trailer on the «!<arch>» magic
> value. The dpkg-deb/extract.c:extracthalf() function calls read_line()
> passing to it versionbuf with the off-by-one length, that one writes
> 41 bytes into it (with a trailing \0), stomping on whatever is next in
> the stack. But this should in principle have no visible effect because
> regardless of how the compiler has organized the local stack, any
> subsequently used local variable is first assigned so the trailing \0
> would not be in effect, and versionbuf is only ever used to compare
> against shorter constant strings, which should all fail, the first
> against "!<arch>\n", then against "0.93", and after that it just
> aborts the program.

Attached is the corresponding patch.

Regards,
Salvatore

>From ac3ee4c3db5ecca5d2c343415273823da4c107ae Mon Sep 17 00:00:00 2001
From: Guillem Jover <[email protected]>
Date: Sun, 6 Sep 2015 21:25:00 +0200
Subject: [PATCH] dpkg-deb: Fix off-by-one write access on versionbuf variable

Reported-by: Jacek Wielemborek <[email protected]>
---
 dpkg-deb/extract.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dpkg-deb/extract.c b/dpkg-deb/extract.c
index d5ac05c..1d2a76a 100644
--- a/dpkg-deb/extract.c
+++ b/dpkg-deb/extract.c
@@ -131,7 +131,7 @@ extracthalf(const char *debar, const char *dir,
   if (fstat(arfd, &stab))
     ohshite(_("failed to fstat archive"));
 
-  r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf));
+  r = read_line(arfd, versionbuf, strlen(DPKG_AR_MAGIC), sizeof(versionbuf) - 1);
   if (r < 0)
     read_fail(r, debar, _("archive magic version number"));
 
-- 
2.5.1

--- End Message ---
--- Begin Message --- 
Source: dpkg
Source-Version: 1.16.17

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 25 Nov 2015 22:34:58 +0100
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.17
Distribution: wheezy-security
Urgency: high
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 798324
Changes: 
 dpkg (1.16.17) wheezy-security; urgency=high
 .
   [ Guillem Jover ]
   * Fix an off-by-one write access in dpkg-deb when parsing the .deb magic.
     Reported by Jacek Wielemborek <[email protected]>. Closes: #798324
   * Fix an off-by-one write access in dpkg-deb when parsing the old format
     .deb control member size. Thanks to Hanno Böck <[email protected]>.
     Fixes CVE-2015-0860.
   * Fix an off-by-one read access in dpkg-deb when parsing ar member names.
     Thanks to Hanno Böck <[email protected]>.
 .
   [ Updated programs translations ]
   * Catalan (Jordi Mallach).
 .
   [ Updated man page translations ]
   * Fix incorrect translation in German (Helge Kreutzmann)
Checksums-Sha1: 
 dc85f886687b24fdd0eb476388e704bcf25c1110 1960 dpkg_1.16.17.dsc
 2573b422a5aa67464c53dabc4eeb43ff44f7b040 3806316 dpkg_1.16.17.tar.xz
 994bcc29756cf36abd416e3ba6a95625cc4257ac 702054 libdpkg-dev_1.16.17_amd64.deb
 0fa355c4a4dbf3d850b9f3a4fb48438e2aa860b6 2662834 dpkg_1.16.17_amd64.deb
 d75a476a62a3662d55f1a6d5ebe11c669702bcae 1165346 dselect_1.16.17_amd64.deb
 83d8725992b3f66582235911296f94fb11c4d002 1363258 dpkg-dev_1.16.17_all.deb
 43304a79ce13a922ea8099850e6c29f7532460bc 964040 libdpkg-perl_1.16.17_all.deb
Checksums-Sha256: 
 d0b6fc4b038bd1006a84d89602b1311054ce184c66be8d1b56e33b717ce6020c 1960 
dpkg_1.16.17.dsc
 4b2bd4c7725b78424e781049e628f20e6017a5dc847ba85d29e08f04e8c85a4a 3806316 
dpkg_1.16.17.tar.xz
 f340e5a46aa07236609f97908fcdad8e6021a499c8f5f8d55dcdbbc1cebf957a 702054 
libdpkg-dev_1.16.17_amd64.deb
 561b106818253b23cc7af7c801b5779138c141dac1d59de0895cb996790d06d4 2662834 
dpkg_1.16.17_amd64.deb
 f7f2a99a3c130155dff06295107c644289e298e5c486a2e46ef06d4dcb6b9f9c 1165346 
dselect_1.16.17_amd64.deb
 8a5738e142130d0490e6439bcd2533dad7d3f93138318ee7244ab5294cecb9b6 1363258 
dpkg-dev_1.16.17_all.deb
 4653c323f02428d2c2f5d6ae4c5567295e288f04d51503f846bbce434aacbf5a 964040 
libdpkg-perl_1.16.17_all.deb
Files: 
 2b314e6b617de3a64754483d90f42ef7 1960 admin required dpkg_1.16.17.dsc
 0a88e4f676c09e5b43ebd9b27caebdac 3806316 admin required dpkg_1.16.17.tar.xz
 e5f6ee479e932231ab1c3dbee4187c13 702054 libdevel optional 
libdpkg-dev_1.16.17_amd64.deb
 97ed0691db824b2e32eef37e66955bf5 2662834 admin required dpkg_1.16.17_amd64.deb
 cf3cef9ccd8e4a7c50b43689e8492bcd 1165346 admin optional 
dselect_1.16.17_amd64.deb
 c0f9a9357aa1f9c54673ee643426213e 1363258 utils optional 
dpkg-dev_1.16.17_all.deb
 daa35589c8f16b55ba4db9baa3f1cfae 964040 perl optional 
libdpkg-perl_1.16.17_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWVthrAAoJELlyvz6krlej1tsP/0xEJoPEHTm+XC0pOE6ZRanO
M9e2Z/r9PPhNQtjM23yO0dL2VmYHA2S3YhB+0CqrPM25x3w+rMeKsoRMFAEMd8pK
eLV9w8E3Q86972ksmhq0v6ks2bUMgAmFXIwvxscn+p1PPzDZVr2zoVKSnzKj8P4l
WyNn3EvAorupppGj5jKA+i23n2o6JUzcp2KV3TcO5lvCku3sHCtYy6SBSFjrXuOd
/dM8741dk7ezse+BxGiWHfuPpyHYyN739FVQ1krQ8K/p9c0wRBMeejh4wcQMMy8z
i9G2kuNerWXIFGPbLigytFKYA+eNNGHxeYTGcJfeLnphdN7gGIMbwUB1AerrGR3D
DYum6+zK4OGymb36iSsMb0FwfXvZwNZpoKTPGdzLOjnpor6ggJK0Ew8bKQd44GmE
6JfRvxaNUS0a31OtkGTBo2XpqlwifWHfdhTCYA4K8tKtbnFXYB7ciqnOGwCPXyb0
yqSHRDvTdHzfD+xC+8ymVm79Pg6Um+y/tohahPFD7Wyhx8wwrcSAJN8kbGwtEolC
LXay8bJ+is+ZGpf5+2JjkxYQM3BiJzQbiNDae/OgpYzVd4c52RHXiTvYVJKdrpbp
L9/JlqoAsVaQ3uGPeyBBgLzMo/6Y9jIBa0ePidq9uevVEGhS2uSEpTVluNMQd9m+
DN1zMdGKNS7CaHBnRYGY
=ndpI
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to