From 1e8665c7c01a5db54d057de89b18152af605d8b9 Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Fri, 7 Nov 2014 20:49:26 +0100 Subject: [PATCH] libdpkg: Escape package and architecture on control file parsing warning The package name and architecture are injected into a string that is used as a format string. Because these are user controlled, we need to format-escape them so that they become inert. Regression introduced in commit 0b8652b226a7601dfd71471797d15168a7337242. Fixes: CVE-2014-8625 Closes: #768485 --- lib/dpkg/parsehelp.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/dpkg/parsehelp.c b/lib/dpkg/parsehelp.c index d9a574e..9e1d624 100644 --- a/lib/dpkg/parsehelp.c +++ b/lib/dpkg/parsehelp.c @@ -44,11 +44,14 @@ parse_error_msg(struct parsedb_state *ps, const char *fmt) str_escape_fmt(filename, ps->filename, sizeof(filename)); - if (ps->pkg && ps->pkg->set->name) + if (ps->pkg && ps->pkg->set->name) { + char pkgname[256]; + + str_escape_fmt(pkgname, pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), + sizeof(pkgname)); sprintf(msg, _("parsing file '%.255s' near line %d package '%.255s':\n" - " %.255s"), filename, ps->lno, - pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), fmt); - else + " %.255s"), filename, ps->lno, pkgname, fmt); + } else sprintf(msg, _("parsing file '%.255s' near line %d:\n" " %.255s"), filename, ps->lno, fmt); -- 2.1.3