Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hi! There's some pending changes for dpkg targetting wheezy I'd like to include as part of a security upload (as agreed with the security team). The proposed changes have been part of unstable/jessie for a while. I requested additional testing from my last d-d-a mail but didn't get any positive or negative results back (yet?). The prospective changelog would be something like this: ,--- dpkg (1.16.16) wheezy-security; urgency=low [ Guillem Jover ] * Do not leak long tar names on bogus or truncated archives. * Do not leak the filepackages iterator when a directory is used by other packages. * Do not leak color string on «dselect --color». * Fix memory leaks when parsing alternatives. * Fix memory leaks in buffer_copy() on error conditions. * Fix possible out of bounds buffer read access in the error output on bogus ar member sizes. * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression introduced with the initial triggers implementation in dpkg 1.14.17. Closes: #751021 * Fix a descriptor leak on dselect subprocesses when --debug is used. * Do not run qsort() over the scandir() list in libcompat if it is NULL. * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX. Although this should not have security implications as the buffer is surrounded by two arrays (so those catch accesses even if the stack grows up or down), and we are compiling with -fstack-protector anyway. * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe. Closes: #731530 * Fix off-by-one error in libdpkg command argv size calculation. Based on a patch by Bálint Réczey <bal...@balintreczey.hu>. Closes: #760690 * Escape package and architecture names on control file parsing warning, as those get injected into a variable that is used as a format string, and they come from the package fields, which are under user control. Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 Reported by Joshua Rogers <megaman...@gmail.com>. [ Raphaël Hertzog ] * Drop myself from Uploaders. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). [ Updated man page translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). -- Guillem Jover <guil...@debian.org> Fri, 03 Apr 2015 15:44:39 +0200 `--- Attached the git patch series excluding translation updates. Thanks, Guillem
From 44a7fca84cb32bb98999546685a5492b02fa6a60 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Mon, 28 Apr 2014 20:48:14 +0200 Subject: [PATCH 01/15] libdpkg: Do not leak long tar names on bogus tar archives Cherry picked from commit 055717db09c9b6de7bf3cd9e12fd579d8002e565. Make sure we free the long names, in case of a bogus or truncated tar archive with long entries not followed by a normal entry. Warned-by: coverity --- debian/changelog | 3 +++ lib/dpkg/tarfn.c | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 6313a1d..08e2fa6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,8 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low + [ Guillem Jover ] + * Do not leak long tar names on bogus or truncated archives. + [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). diff --git a/lib/dpkg/tarfn.c b/lib/dpkg/tarfn.c index 90d5071..5b3b39b 100644 --- a/lib/dpkg/tarfn.c +++ b/lib/dpkg/tarfn.c @@ -377,6 +377,10 @@ tar_extractor(void *ctx, const struct tar_operations *ops) free(symlink_head); symlink_head = symlink_node; } + /* Make sure we free the long names, in case of a bogus or truncated + * tar archive with long entries not followed by a normal entry. */ + free(next_long_name); + free(next_long_link); if (status > 0) { /* Indicates broken tarfile: “Read partial header record”. */ -- 2.2.1.209.g41e5f3a
From 7c4c359473481f15aa0e8b6d2a0113cc723964b2 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Mon, 28 Apr 2014 21:54:52 +0200 Subject: [PATCH 02/15] dpkg: Do not leak the filepackages_iterator in dir_is_used_by_others() Cherry picked from commit b6788715227adb30ba41b5a049d1cbfb9e3ff1d7. Warned-by: coverity --- debian/changelog | 2 ++ src/help.c | 1 + 2 files changed, 3 insertions(+) diff --git a/debian/changelog b/debian/changelog index 08e2fa6..7e85c2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low [ Guillem Jover ] * Do not leak long tar names on bogus or truncated archives. + * Do not leak the filepackages iterator when a directory is used by other + packages. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/src/help.c b/src/help.c index dfcf7e8..bb9350e 100644 --- a/src/help.c +++ b/src/help.c @@ -251,6 +251,7 @@ dir_is_used_by_others(struct filenamenode *file, struct pkginfo *pkg) if (other_pkg == pkg) continue; + filepackages_iter_free(iter); debug(dbg_veryverbose, "dir_is_used_by_others yes"); return true; } -- 2.2.1.209.g41e5f3a
From 0e2963ab76e7697f99c7f160dcbe1a7a6edc3200 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Mon, 28 Apr 2014 21:44:17 +0200 Subject: [PATCH 03/15] dselect: Fix memory leak in set_color() Cherry picked from commit 3df20bdb86cb217ee55c12c8f2277f3af787bf71. Warned-by: coverity --- debian/changelog | 1 + dselect/main.cc | 2 ++ 2 files changed, 3 insertions(+) diff --git a/debian/changelog b/debian/changelog index 7e85c2d..9152e1f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low * Do not leak long tar names on bogus or truncated archives. * Do not leak the filepackages iterator when a directory is used by other packages. + * Do not leak color string on «dselect --color». [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/dselect/main.cc b/dselect/main.cc index 6cd4503..c0f2195 100644 --- a/dselect/main.cc +++ b/dselect/main.cc @@ -299,6 +299,8 @@ extern "C" { color[screenpart].attr= color[screenpart].attr | aval; } } + + free(s); } } /* End of extern "C" */ -- 2.2.1.209.g41e5f3a
From 52b018e762f35bc8fb6fd3628a490c8f487011e0 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Mon, 28 Apr 2014 22:07:29 +0200 Subject: [PATCH 04/15] u-a: Fix memory leaks in alternative_parse_fileset() Cherry picked from commit 2579acce1f6add74150790e806d859c3f3f8d362. Free prio_str and master_file. Warned-by: coverity --- debian/changelog | 1 + utils/update-alternatives.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/debian/changelog b/debian/changelog index 9152e1f..265d7c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low * Do not leak the filepackages iterator when a directory is used by other packages. * Do not leak color string on «dselect --color». + * Fix memory leaks when parsing alternatives. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/utils/update-alternatives.c b/utils/update-alternatives.c index 5f4364b..0c2b852 100644 --- a/utils/update-alternatives.c +++ b/utils/update-alternatives.c @@ -1238,6 +1238,8 @@ alternative_parse_fileset(struct alternative *a, struct altdb_context *ctx) ctx->bad_format(ctx, _("priority of %s is out of range: %s"), master_file, prio_str); + free(prio_str); + fs = fileset_new(master_file, prio); for (sl = a->slaves; sl; sl = sl->next) { fileset_add_slave(fs, xstrdup(sl->name), @@ -1245,6 +1247,8 @@ alternative_parse_fileset(struct alternative *a, struct altdb_context *ctx) } alternative_add_choice(a, fs); } + free(master_file); + return true; } -- 2.2.1.209.g41e5f3a
From 0eb67a5a236d7fc7c03975e0fa28b783231f8f9f Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Wed, 30 Apr 2014 22:32:15 +0200 Subject: [PATCH 05/15] libdpkg: Fix memory leaks in buffer_copy() on error conditions Cherry picked from commit ded3dfed77b7fd268914e19e8081b43c9233cc05 and commit b851df1817ebaf60a95ae6478824c0e732890fc0. Check for errors from subfunctions and break out of the loop to be able to release resources. Check also for unexpected EOF only after freeing resources, so that we don't end up leaking them. Warned-by: coverity --- debian/changelog | 1 + lib/dpkg/buffer.c | 12 +++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index 265d7c9..085b498 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low packages. * Do not leak color string on «dselect --color». * Fix memory leaks when parsing alternatives. + * Fix memory leaks in buffer_copy() on error conditions. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/lib/dpkg/buffer.c b/lib/dpkg/buffer.c index ec818f4..162b204 100644 --- a/lib/dpkg/buffer.c +++ b/lib/dpkg/buffer.c @@ -196,7 +196,7 @@ buffer_copy(struct buffer_data *read_data, while (bufsize > 0) { bytesread = buffer_read(read_data, buf, bufsize, err); if (bytesread < 0) - return -1; + break; if (bytesread == 0) break; @@ -212,20 +212,22 @@ buffer_copy(struct buffer_data *read_data, byteswritten = buffer_write(write_data, buf, bytesread, err); if (byteswritten < 0) - return -1; + break; if (byteswritten == 0) break; totalwritten += byteswritten; } - if (limit > 0) - return dpkg_put_error(err, _("unexpected end of file or stream")); - buffer_filter_done(filter); free(buf); + if (bytesread < 0 || byteswritten < 0) + return -1; + if (limit > 0) + return dpkg_put_error(err, _("unexpected end of file or stream")); + return totalread; } -- 2.2.1.209.g41e5f3a
From 2ddedea45a1e6ae2deb6e0d52aabcf2007430dfe Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Sun, 11 May 2014 08:11:22 +0200 Subject: [PATCH 06/15] libdpkg: Swap deb name and member name in dpkg_ar_member_get_size() Cherry picked from commit 9274fe071004f02dcd64eba5f40b342e40bc2fd1. Otherwise we might perform an out of bounds buffer read access in the error output on bogus member sizes. --- debian/changelog | 2 ++ lib/dpkg/ar.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 085b498..211fff4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low * Do not leak color string on «dselect --color». * Fix memory leaks when parsing alternatives. * Fix memory leaks in buffer_copy() on error conditions. + * Fix possible out of bounds buffer read access in the error output on + bogus ar member sizes. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c index 3c07a59..d11a030 100644 --- a/lib/dpkg/ar.c +++ b/lib/dpkg/ar.c @@ -65,7 +65,7 @@ dpkg_ar_member_get_size(const char *ar_name, struct ar_hdr *arh) if (*str < '0' || *str > '9') ohshit(_("invalid character '%c' in archive '%.250s' " "member '%.16s' size"), - *str, arh->ar_name, ar_name); + *str, ar_name, arh->ar_name); size *= 10; size += *str++ - '0'; -- 2.2.1.209.g41e5f3a
From 76c2e44f53dcaf73727ffc76c20b934c0a8541bc Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Mon, 9 Jun 2014 19:38:05 +0200 Subject: [PATCH 07/15] libdpkg: Fix file triggers/Unincorp descriptor leak on subprocesses Cherry picked from commit 92ab1bb69c3f251a2811015d94d1933b3b39e43a. Regression introduced in commit 10440009b68f59eeed4cb1b56547e3cf356aa540, with the initial triggers implementation. Closes: #751021 --- debian/changelog | 3 +++ lib/dpkg/trigdeferred.l | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 211fff4..3416d43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,9 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low * Fix memory leaks in buffer_copy() on error conditions. * Fix possible out of bounds buffer read access in the error output on bogus ar member sizes. + * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression + introduced with the initial triggers implementation in dpkg 1.14.17. + Closes: #751021 [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/lib/dpkg/trigdeferred.l b/lib/dpkg/trigdeferred.l index 28e8ed6..6e9cf59 100644 --- a/lib/dpkg/trigdeferred.l +++ b/lib/dpkg/trigdeferred.l @@ -169,6 +169,8 @@ trigdef_update_start(enum trigdef_updateflags uf) pop_cleanup(ehflag_normaltidy); return tdus_error_no_deferred; } + } else { + setcloexec(fileno(old_deferred), fn.buf); } if (uf & tduf_write) { @@ -179,6 +181,8 @@ trigdef_update_start(enum trigdef_updateflags uf) if (!trig_new_deferred) ohshite(_("unable to open/create new triggers deferred file `%.250s'"), newfn.buf); + + setcloexec(fileno(trig_new_deferred), newfn.buf); } if (!old_deferred) -- 2.2.1.209.g41e5f3a
From 380cc715cf0ae083225b0bc545cd753ffc2a953b Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Wed, 13 Aug 2014 09:34:41 +0200 Subject: [PATCH 08/15] libdpkg: Set close-on-exec for the debug output Cherry picked from commit d3d2ba1dd39ae02c92efafd4d4541d33665e48fb. This fixes a file descriptor leak on dselect subprocesses. --- debian/changelog | 1 + dselect/main.cc | 2 +- lib/dpkg/debug.c | 6 +++++- lib/dpkg/debug.h | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 3416d43..62487a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,7 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low * Fix file triggers/Unincorp descriptor leak on subprocesses. Regression introduced with the initial triggers implementation in dpkg 1.14.17. Closes: #751021 + * Fix a descriptor leak on dselect subprocesses when --debug is used. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/dselect/main.cc b/dselect/main.cc index c0f2195..2a23442 100644 --- a/dselect/main.cc +++ b/dselect/main.cc @@ -231,7 +231,7 @@ extern "C" { ohshite(_("couldn't open debug file `%.255s'\n"), v); setvbuf(fp, 0, _IONBF, 0); - debug_set_output(fp); + debug_set_output(fp, v); debug_set_mask(dbg_general | dbg_depcon); } diff --git a/lib/dpkg/debug.c b/lib/dpkg/debug.c index 7ff12b3..64af3c9 100644 --- a/lib/dpkg/debug.c +++ b/lib/dpkg/debug.c @@ -25,6 +25,7 @@ #include <stdarg.h> #include <stdio.h> +#include <dpkg/dpkg.h> #include <dpkg/debug.h> static int debug_mask = 0; @@ -32,10 +33,13 @@ static FILE *debug_output = NULL; /** * Set the debugging output file. + * + * Marks the file descriptor as close-on-exec. */ void -debug_set_output(FILE *output) +debug_set_output(FILE *output, const char *filename) { + setcloexec(fileno(output), filename); debug_output = output; } diff --git a/lib/dpkg/debug.h b/lib/dpkg/debug.h index c49f2a7..f44b620 100644 --- a/lib/dpkg/debug.h +++ b/lib/dpkg/debug.h @@ -54,7 +54,7 @@ enum debugflags { dbg_triggersstupid = 040000, }; -void debug_set_output(FILE *output); +void debug_set_output(FILE *output, const char *filename); void debug_set_mask(int mask); bool debug_has_flag(int flag); void debug(int flag, const char *fmt, ...) DPKG_ATTR_PRINTF(2); -- 2.2.1.209.g41e5f3a
From 71ef94898b7da381afe2c09a20b5bb19d030d375 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Sat, 7 Jun 2014 12:41:23 +0200 Subject: [PATCH 09/15] libcompat: Do not run qsort over the scandir list if it is NULL Cherry picked from commit 75a93afbe53d6d2554ed87abeb794a75373156fd. Warned-by: coverity --- debian/changelog | 1 + lib/compat/scandir.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 62487a4..930ffe6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,7 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low introduced with the initial triggers implementation in dpkg 1.14.17. Closes: #751021 * Fix a descriptor leak on dselect subprocesses when --debug is used. + * Do not run qsort() over the scandir() list in libcompat if it is NULL. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/lib/compat/scandir.c b/lib/compat/scandir.c index c38ae01..914a559 100644 --- a/lib/compat/scandir.c +++ b/lib/compat/scandir.c @@ -88,7 +88,7 @@ scandir(const char *dir, struct dirent ***namelist, closedir(d); - if (cmp != NULL) + if (list != NULL && cmp != NULL) qsort(list, used, sizeof(struct dirent *), cmp); *namelist = list; -- 2.2.1.209.g41e5f3a
From 019a62ac5f047fa9dbe5f8597faedfacdba84e6b Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Mon, 28 Apr 2014 22:15:58 +0200 Subject: [PATCH 10/15] s-s-d: Fix off-by-one stack buffer overrun on GNU/Linux and GNU/kFreeBSD Cherry picked from commit 00e2aadcdc9d86655963df13068afd85eca2ed83. This might happen if the executable pathname is longer than _POSIX_PATH_MAX. Although this should not have security implications as the buffer is surrounded by two arrays (so those catch accesses even if the stack grows up or down), and we are compiling with -fstack-protector anyway. We just need to always leave room for the final NUL character. Warned-by: coverity --- debian/changelog | 5 +++++ utils/start-stop-daemon.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 930ffe6..472c608 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,11 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low Closes: #751021 * Fix a descriptor leak on dselect subprocesses when --debug is used. * Do not run qsort() over the scandir() list in libcompat if it is NULL. + * Fix off-by-one stack buffer overrun in start-stop-daemon on GNU/Linux and + GNU/kFreeBSD if the executable pathname is longer than _POSIX_PATH_MAX. + Although this should not have security implications as the buffer is + surrounded by two arrays (so those catch accesses even if the stack + grows up or down), and we are compiling with -fstack-protector anyway. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/utils/start-stop-daemon.c b/utils/start-stop-daemon.c index 818d7eb..11afbaf 100644 --- a/utils/start-stop-daemon.c +++ b/utils/start-stop-daemon.c @@ -1021,13 +1021,13 @@ static bool pid_is_exec(pid_t pid, const struct stat *esb) { char lname[32]; - char lcontents[_POSIX_PATH_MAX]; + char lcontents[_POSIX_PATH_MAX + 1]; const char deleted[] = " (deleted)"; int nread; struct stat sb; sprintf(lname, "/proc/%d/exe", pid); - nread = readlink(lname, lcontents, sizeof(lcontents)); + nread = readlink(lname, lcontents, sizeof(lcontents) - 1); if (nread == -1) return false; -- 2.2.1.209.g41e5f3a
From 8449a3081b48cd37d86d4e0a905824478817a639 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Wed, 14 May 2014 04:27:31 +0200 Subject: [PATCH 11/15] s-s-d: Cope with bogus OpenVZ kernels that prepend the " (deleted)" marker Cherry picked from commit b766dca91159da611c6340dea347f4ef00159768. There are OpenVZ Linux kernels that instead of appending, prepend the deleted marker, making the exec check fail to match. Add a workaround so that those systems do not get affected. This will still be affecting any other userland tool that checks the /proc/PID/exe symlink, and might end up helping this behaviour to get entrenched, but better this than the getting strange system failures. Closes: #731530 --- debian/changelog | 3 +++ utils/start-stop-daemon.c | 16 ++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/debian/changelog b/debian/changelog index 472c608..5e64b36 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,6 +19,9 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low Although this should not have security implications as the buffer is surrounded by two arrays (so those catch accesses even if the stack grows up or down), and we are compiling with -fstack-protector anyway. + * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that + prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe. + Closes: #731530 [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/utils/start-stop-daemon.c b/utils/start-stop-daemon.c index 11afbaf..132d814 100644 --- a/utils/start-stop-daemon.c +++ b/utils/start-stop-daemon.c @@ -1022,6 +1022,7 @@ pid_is_exec(pid_t pid, const struct stat *esb) { char lname[32]; char lcontents[_POSIX_PATH_MAX + 1]; + char *filename; const char deleted[] = " (deleted)"; int nread; struct stat sb; @@ -1031,11 +1032,18 @@ pid_is_exec(pid_t pid, const struct stat *esb) if (nread == -1) return false; - lcontents[nread] = '\0'; - if (strcmp(lcontents + nread - strlen(deleted), deleted) == 0) - lcontents[nread - strlen(deleted)] = '\0'; + filename = lcontents; + filename[nread] = '\0'; - if (stat(lcontents, &sb) != 0) + /* OpenVZ kernels contain a bogus patch that instead of appending, + * prepends the deleted marker. Workaround those. Otherwise handle + * the normal appended marker. */ + if (strncmp(filename, deleted, strlen(deleted)) == 0) + filename += strlen(deleted); + else if (strcmp(filename + nread - strlen(deleted), deleted) == 0) + filename[nread - strlen(deleted)] = '\0'; + + if (stat(filename, &sb) != 0) return false; return (sb.st_dev == esb->st_dev && sb.st_ino == esb->st_ino); -- 2.2.1.209.g41e5f3a
From f8204c3a4090ef6f23e300046177786150807442 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Fri, 26 Sep 2014 01:21:56 +0200 Subject: [PATCH 12/15] libdpkg: Fix off-by-one error in command argv size calculation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cherry picked from commit 9b9acf81bac908889d0db3631c53277329bafb80. We need a ghost byte for the terminating NUL character, so add it up to the requested needed bytes. Closes: #760690 Warned-by: valgrind Based-on-patch-by: Bálint Réczey <bal...@balintreczey.hu> --- debian/changelog | 2 ++ lib/dpkg/command.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/debian/changelog b/debian/changelog index 5e64b36..21ad2eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -22,6 +22,8 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low * Add a workaround to start-stop-daemon for bogus OpenVZ Linux kernels that prepend, instead of appending, the " (deleted)" marker in /proc/PID/exe. Closes: #731530 + * Fix off-by-one error in libdpkg command argv size calculation. + Based on a patch by Bálint Réczey <bal...@balintreczey.hu>. Closes: #760690 [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/lib/dpkg/command.c b/lib/dpkg/command.c index 56fd700..859f8a1 100644 --- a/lib/dpkg/command.c +++ b/lib/dpkg/command.c @@ -77,6 +77,9 @@ command_destroy(struct command *cmd) static void command_grow_argv(struct command *cmd, int need) { + /* We need a ghost byte for the NUL character. */ + need++; + /* Check if we already have enough room. */ if ((cmd->argv_size - cmd->argc) >= need) return; -- 2.2.1.209.g41e5f3a
From da65aec4a82fa445f406d57a54ac2fe12c2b221f Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Fri, 7 Nov 2014 20:49:26 +0100 Subject: [PATCH 13/15] libdpkg: Escape package and architecture on control file parsing warning Cherry picked from commit 446f11df6302716c2a1f993761ee54ecb44d42bb. The package and architecture names are injected into a variable that is used as a format string. Because these are user controlled, we need to format-escape them so that they become inert. Regression introduced in commmit 3be2cf607868adb9a2c0e5af06f20168a072eeb6. Fixes: CVE-2014-8625 Closes: #768485 Reporteb-by: Joshua Rogers <megaman...@gmail.com> --- debian/changelog | 5 +++++ lib/dpkg/parsehelp.c | 11 +++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/debian/changelog b/debian/changelog index 21ad2eb..9c29d6f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -24,6 +24,11 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low Closes: #731530 * Fix off-by-one error in libdpkg command argv size calculation. Based on a patch by Bálint Réczey <bal...@balintreczey.hu>. Closes: #760690 + * Escape package and architecture names on control file parsing warning, + as those get injected into a variable that is used as a format string, + and they come from the package fields, which are under user control. + Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 + Reported by Joshua Rogers <megaman...@gmail.com>. [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) diff --git a/lib/dpkg/parsehelp.c b/lib/dpkg/parsehelp.c index d9a574e..9e1d624 100644 --- a/lib/dpkg/parsehelp.c +++ b/lib/dpkg/parsehelp.c @@ -44,11 +44,14 @@ parse_error_msg(struct parsedb_state *ps, const char *fmt) str_escape_fmt(filename, ps->filename, sizeof(filename)); - if (ps->pkg && ps->pkg->set->name) + if (ps->pkg && ps->pkg->set->name) { + char pkgname[256]; + + str_escape_fmt(pkgname, pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), + sizeof(pkgname)); sprintf(msg, _("parsing file '%.255s' near line %d package '%.255s':\n" - " %.255s"), filename, ps->lno, - pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), fmt); - else + " %.255s"), filename, ps->lno, pkgname, fmt); + } else sprintf(msg, _("parsing file '%.255s' near line %d:\n" " %.255s"), filename, ps->lno, fmt); -- 2.2.1.209.g41e5f3a
From 00126be29715405d7e35316a4ac3f8d09b9954f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <hert...@debian.org> Date: Wed, 11 Feb 2015 08:33:21 +0100 Subject: [PATCH 14/15] debian: drop myself from Uploaders Cherry picked from commit 10ff6c4fc598dbc9697c825a8c8e1bf25caa2fcb. Signed-off-by: Guillem Jover <guil...@debian.org> --- debian/changelog | 3 +++ debian/control | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 9c29d6f..7cd4c1a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -30,6 +30,9 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 Reported by Joshua Rogers <megaman...@gmail.com>. + [ Raphaël Hertzog ] + * Drop myself from Uploaders. + [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). diff --git a/debian/control b/debian/control index 6a393a9..2d2f73e 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: dpkg Section: admin Priority: required Maintainer: Dpkg Developers <debian-d...@lists.debian.org> -Uploaders: Guillem Jover <guil...@debian.org>, Raphaël Hertzog <hert...@debian.org> +Uploaders: Guillem Jover <guil...@debian.org> Origin: debian Bugs: debbugs://bugs.debian.org Homepage: http://wiki.debian.org/Teams/Dpkg -- 2.2.1.209.g41e5f3a
From 9630f8ec8418de9f220c3e052270522e98550965 Mon Sep 17 00:00:00 2001 From: Guillem Jover <guil...@debian.org> Date: Fri, 3 Apr 2015 15:44:21 +0200 Subject: [PATCH 15/15] Release 1.16.16 --- debian/changelog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 7cd4c1a..5cdf293 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -dpkg (1.16.15+nmu1) UNRELEASED; urgency=low +dpkg (1.16.16) wheezy-security; urgency=low [ Guillem Jover ] * Do not leak long tar names on bogus or truncated archives. @@ -36,12 +36,12 @@ dpkg (1.16.15+nmu1) UNRELEASED; urgency=low [ Updated scripts translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). - + [ Updated man page translations ] * Fix typos in German (Helge Kreutzmann) * Swedish (Peter Krefting). - -- Helge Kreutzmann <deb...@helgefjell.de> Sun, 10 Aug 2014 17:24:52 +0200 + -- Guillem Jover <guil...@debian.org> Fri, 03 Apr 2015 15:44:39 +0200 dpkg (1.16.15) wheezy-security; urgency=high -- 2.2.1.209.g41e5f3a