CVE-2020-3810 out-of-bound stack reads in arfile

Bug #1878177 reported by Julian Andres Klode
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

In https://github.com/Debian/apt/issues/111, an issue was discovered where apt's ar implementation performs (unbound) out of bound reads of a stack variable.

Marking this as private security for now to avoid giving it more prominence.

CVE References

Revision history for this message
Julian Andres Klode (juliank) wrote :

Fixed version with test case in https://salsa.debian.org/jak/apt/-/compare/2.1.1...master

Needs a CVE

Revision history for this message
Julian Andres Klode (juliank) wrote :

This is now CVE-2020-3810

summary: - out-of-bound stack reads in arfile
+ CVE-2020-3810 out-of-bound stack reads in arfile
Revision history for this message
Julian Andres Klode (juliank) wrote :

We've also found a few related places where we print member names
without having checked them at all

arfile.cc:
return _error->Error(_("Invalid archive member header %s"), Head.Name);

extracttar.cc:
_error->Warning(_("Unknown TAR header type %u, member %s"),(unsigned)Tar->LinkFlag,Tar->Name);

We're going to fold those patches into there as well, removing the
name arguments, as they might not be nul terminated.

Revision history for this message
Julian Andres Klode (juliank) wrote :

attached bionic diff, passed CI

Revision history for this message
Julian Andres Klode (juliank) wrote :

Waiting for CI results for eoan, focal, and xenial atm.

Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :

I forgot to run update-maintainer in the bionic.diff, which CI does not test (:/). But I updated it locally, and you can just run update-maintainer too before uploading it, as it will tell you.

Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :

This needs some seding on the diff, except for xenial I suppose

's#${BUILDDIRECTORY}/../test/interactive-helper#${APTTESTHELPERSBINDIR}#g'

The CI, where the test passed, are running them in-tree; whereas autopkgtest runs them as-installed, which means they look at different paths.

So we know from the CI the fix is fine, but autopkgtest can't find the binary to run to validate the same. If only CI were running autopkgtest :(

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 2.0.2ubuntu0.1

---------------
apt (2.0.2ubuntu0.1) focal-security; urgency=high

  * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177)
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - CVE-2020-3810

 -- Julian Andres Klode <email address hidden> Tue, 12 May 2020 22:02:05 +0200

Changed in apt (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.9.4ubuntu0.1

---------------
apt (1.9.4ubuntu0.1) eoan-security; urgency=high

  * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177)
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - CVE-2020-3810

 -- Julian Andres Klode <email address hidden> Tue, 12 May 2020 22:04:30 +0200

Changed in apt (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 1.6.12ubuntu0.1

---------------
apt (1.6.12ubuntu0.1) bionic-security; urgency=high

  * SECURITY UPDATE: Out of bounds read in ar, tar implementations (LP: #1878177)
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read in member name
    - apt-pkg/contrib/arfile.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - apt-pkg/contrib/extracttar.cc: Fix out-of-bounds read on unterminated
      member names in error path
    - CVE-2020-3810

 -- Julian Andres Klode <email address hidden> Tue, 12 May 2020 20:03:44 +0200

Changed in apt (Ubuntu):
status: New → Fix Released
Alex Murray (alexmurray)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.