dpkg / dpkg-deb segfault -- possible format string bug/vuln?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dpkg (Debian) |
Fix Released
|
Unknown
|
|||
dpkg (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
When building a .deb file using dpkg-deb --build, if the 'control' file inside DEBIAN/ has a % in it, it will segfault.
Example of control file:
Package: backup
Architecture: el%sion:-1
Description: script
Here's a gdb backtrace:
(gdb) run --build ./
Starting program: /root/srcs/
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff763f061 in _IO_vfprintf_
1630 vfprintf.c: No such file or directory.
(gdb) bt
#0 0x00007ffff763f061 in _IO_vfprintf_
#1 0x00007ffff76670f2 in _IO_vsnprintf (
string=
maxlen=
#2 0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:
#3 0x0000000000423fa7 in parse_warn (ps=0x7fffffffddc0, fmt=0x44a680 "'%s' is not a valid architecture name: %s") at parsehelp.c:75
#4 0x000000000043b38c in f_architecture (pigp=0x7ffffff
#5 0x000000000041eb65 in pkg_parse_field (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_obj=
#6 0x00000000004222e9 in parse_stanza (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_field=
#7 0x0000000000422843 in parsedb (filename=0x665120 ".//DEBIAN/
#8 0x0000000000404661 in check_new_pkg (dir=0x7fffffffe3e7 "./") at build.c:335
#9 0x0000000000405274 in do_build (argv=0x7ffffff
#10 0x000000000040e566 in main (argc=3, argv=0x7fffffff
#11 0x00007ffff761576d in __libc_start_main (main=0x40e37a <main>, argc=3, ubp_av=
#12 0x00000000004025a9 in _start ()
(gdb) up 2
#2 0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:
392 vsnprintf(buf, sizeof(buf), fmt, args);
Unsure if it's a vulnerability or not. If it is, could I get a CVE-ID?
Thanks
CVE References
information type: | Public → Public Security |
Changed in dpkg (Debian): | |
status: | Unknown → New |
Changed in dpkg (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in dpkg (Debian): | |
status: | New → Fix Committed |
Changed in dpkg (Ubuntu): | |
importance: | Medium → Low |
Changed in dpkg (Debian): | |
status: | Fix Committed → Fix Released |
Changed in dpkg (Ubuntu): | |
status: | Triaged → Fix Released |
Yeah, just double checked and it does seem to be a format string vulnerability.
# cat DEBIAN/control dpkg/dpkg- 1.16.1. 2ubuntu7. 5/dpkg- deb/dpkg- deb --build ./
Package: backup
Architecture: %s
Description: script
0 0j 11:13:14 (root@limehost) /var/tmp/ok # ~/srcs/
Segmentation fault