Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)
Package: apt Version: 1.0.9.2 Severity: normal Dear Maintainer, In examining the sources in method/rsh.cc I ran across the function RSHConn::WriteMsg() The first thing it does is make a buffer of 512 bytes, put up to 508 bytes of data in it (the vsnprintf call), and then add at least 14 more bytes of data (the strcat calls). I originally saw this in: Version: 0.9.7.9+deb7u5 I have not created a test for this. I suspect all it takes is a long path in the configured URI. The simplest fix is probably to change the - 4 on the vsnprintf() to - 24 or thereabouts. A more complex fix (probably not needed) might send the two strings separately. It also might be wise to consider if the buffer should be enlarged. I have not fully examined other sources for similar code, but do see where this came from in method/ftp.cc. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages apt depends on: ii debian-archive-keyring 2014.1 ii gnupg 1.4.18-4 ii libapt-pkg4.12 1.0.9.2 ii libc6 2.19-11 ii libgcc1 1:4.9.1-16 ii libstdc++6 4.9.1-16 apt recommends no packages. Versions of packages apt suggests: ii apt-doc 1.0.9.2 ii aptitude0.6.11-1 ii dpkg-dev1.17.16 ii python-apt 0.9.3.10 ii synaptic0.81.2 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764442: apt: String overrun in RSHConn::WriteMsg() (transports rsh: and ssh:)
On Wed, Oct 08, 2014 at 02:49:40AM -0400, David Garfield wrote: Package: apt Version: 1.0.9.2 Severity: normal Thanks for your bugreport. In examining the sources in method/rsh.cc I ran across the function RSHConn::WriteMsg() The first thing it does is make a buffer of 512 bytes, put up to 508 bytes of data in it (the vsnprintf call), and then add at least 14 more bytes of data (the strcat calls). Good catch, thanks you! [..] The simplest fix is probably to change the - 4 on the vsnprintf() to - 24 or thereabouts. A more complex fix (probably not needed) might send the two strings separately. It also might be wise to consider if the buffer should be enlarged. I have not fully examined other sources for similar code, but do see where this came from in method/ftp.cc. [..] I fixed this in git and replaced the strcat with a C++ std::string so that we do not run into the fixed buffer issue. I also enlarged the buffer while doing so. Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org