Package: dpkg Version: 1.16.1.2 Tags: bug, security This doesn't seem to be a vulnerability, but more of a bug.. Best that the devs look at it rather than me, though.
I'm using v1.16.1.2ubuntu7.5, but it is probably there in more recent versions With the control file: > : 1 > a: %s dpkg-deb --build will segfault. It will not segfault if you put something before > : 1 and will not segfault if > a: %s does not contain a "%" symbol. Here's a gdb backtrace: > Program received signal SIGSEGV, Segmentation fault. > 0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, > format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630 > 1630 vfprintf.c: No such file or directory. > (gdb) bt > #0 0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, > format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630 > #1 0x00007ffff76fd3e0 in ___vsnprintf_chk (s=0x7fffffffd640 "parsing > file 'lol/DEBIAN/control' near line 2 package '1:%s':\n 'must start > with an alphanumeric' is not a valid architecture name: \367\377\177", > maxlen=<optimised out>, flags=1, slen=<optimised out>, > format=0x649940 "parsing file 'lol/DEBIAN/control' near line 2 package > '1:%s':\n '%s' is not a valid architecture name: %s", args=0x7fffffffda68) > at vsnprintf_chk.c:65 > #2 0x0000000000414b27 in vsnprintf (__ap=<optimised out>, > __fmt=<optimised out>, __n=1024, > __s=0x7fffffffd640 "parsing file 'lol/DEBIAN/control' near line 2 > package '1:%s':\n 'must start with an alphanumeric' is not a valid > architecture name: \367\377\177") at > /usr/include/x86_64-linux-gnu/bits/stdio2.h:78 > #3 warningv (fmt=<optimised out>, args=<optimised out>) at ehandle.c:392 > #4 0x0000000000422199 in parse_warn (ps=<optimised out>, > fmt=<optimised out>) at parsehelp.c:75 > #5 0x000000000041db26 in parse_stanza (ps=0x7fffffffddf0, > fs=0x7fffffffde30, parse_field=0x41bbe0 <pkg_parse_field>, > parse_obj=0x7fffffffde70) at parse.c:478 > #6 0x000000000041ebb6 in parsedb (filename=0x65e120 > "lol/DEBIAN/control", flags=<optimised out>, donep=0x7fffffffdfe0) at > parse.c:547 > #7 0x0000000000404004 in check_new_pkg (dir=0x7fffffffe3c5 "lol") at > build.c:335 > #8 do_build (argv=<optimised out>) at build.c:436 > #9 0x00000000004029e1 in main (argc=<optimised out>, > argv=0x7fffffffe168) at main.c:206 > #10 0x00007ffff761576d in __libc_start_main (main=0x402860 <main>, > argc=3, ubp_av=0x7fffffffe158, init=<optimised out>, fini=<optimised > out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe148) at > libc-start.c:226 > #11 0x0000000000402ac5 in _start () A quick guess is that because the > : 1 part of the file does not have a 'name', it trys to call a NULL. Somebody should check if I'm right, though. Thanks, -- -- Joshua Rogers <https://internot.info/>
signature.asc
Description: OpenPGP digital signature
