CVE-2020-3810 out-of-bound stack reads in arfile

Bug #1878177 reported by Julian Andres Klode on 2020-05-12
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Undecided
Unassigned

Bug Description

In https://github.com/Debian/apt/issues/111, an issue was discovered where apt's ar implementation performs (unbound) out of bound reads of a stack variable.

Marking this as private security for now to avoid giving it more prominence.

CVE References

Julian Andres Klode (juliank) wrote :

Fixed version with test case in https://salsa.debian.org/jak/apt/-/compare/2.1.1...master

Needs a CVE

Julian Andres Klode (juliank) wrote :

This is now CVE-2020-3810

summary: - out-of-bound stack reads in arfile
+ CVE-2020-3810 out-of-bound stack reads in arfile
Julian Andres Klode (juliank) wrote :

We've also found a few related places where we print member names
without having checked them at all

arfile.cc:
return _error->Error(_("Invalid archive member header %s"), Head.Name);

extracttar.cc:
_error->Warning(_("Unknown TAR header type %u, member %s"),(unsigned)Tar->LinkFlag,Tar->Name);

We're going to fold those patches into there as well, removing the
name arguments, as they might not be nul terminated.

Julian Andres Klode (juliank) wrote :

attached bionic diff, passed CI

Julian Andres Klode (juliank) wrote :

Waiting for CI results for eoan, focal, and xenial atm.

Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :

I forgot to run update-maintainer in the bionic.diff, which CI does not test (:/). But I updated it locally, and you can just run update-maintainer too before uploading it, as it will tell you.

Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :
Julian Andres Klode (juliank) wrote :

This needs some seding on the diff, except for xenial I suppose

's#${BUILDDIRECTORY}/../test/interactive-helper#${APTTESTHELPERSBINDIR}#g'

The CI, where the test passed, are running them in-tree; whereas autopkgtest runs them as-installed, which means they look at different paths.

So we know from the CI the fix is fine, but autopkgtest can't find the binary to run to validate the same. If only CI were running autopkgtest :(

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.0.2ubuntu0.1

---------------
apt (2.0.2ubuntu0.1) focal-security; urgency=high

  * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177)
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - CVE-2020-3810

 -- Julian Andres Klode <email address hidden> Tue, 12 May 2020 22:02:05 +0200

Changed in apt (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.9.4ubuntu0.1

---------------
apt (1.9.4ubuntu0.1) eoan-security; urgency=high

  * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177)
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - CVE-2020-3810

 -- Julian Andres Klode <email address hidden> Tue, 12 May 2020 22:04:30 +0200

Changed in apt (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.6.12ubuntu0.1

---------------
apt (1.6.12ubuntu0.1) bionic-security; urgency=high

  * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177)
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - CVE-2020-3810

 -- Julian Andres Klode <email address hidden> Tue, 12 May 2020 20:03:44 +0200

Changed in apt (Ubuntu):
status: New → Fix Released
Alex Murray (alexmurray) on 2020-05-14
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers