diff options
| author | Guillem Jover <guillem@debian.org> | 2014-11-07 20:49:26 +0100 |
|---|---|---|
| committer | Guillem Jover <guillem@debian.org> | 2014-11-22 18:46:17 +0100 |
| commit | 446f11df6302716c2a1f993761ee54ecb44d42bb (patch) | |
| tree | 25138ea90cd48777a6e456bc8cd4d41789164316 | |
| parent | b89caa796ac54ca86db33c6b06e72a122975bf0e (diff) | |
| download | dpkg-446f11df6302716c2a1f993761ee54ecb44d42bb.tar.gz | |
libdpkg: Escape package and architecture on control file parsing warning
The package and architecture names are injected into a variable that is
used as a format string. Because these are user controlled, we need to
format-escape them so that they become inert.
Regression introduced in commmit 3be2cf607868adb9a2c0e5af06f20168a072eeb6.
Fixes: CVE-2014-8625
Closes: #768485
Reporteb-by: Joshua Rogers <megamansec@gmail.com>
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | lib/dpkg/parsehelp.c | 11 |
2 files changed, 12 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog index e5f6955db..a1cad38a6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,11 @@ dpkg (1.17.22) UNRELEASED; urgency=low so this got removed prematurely. * Add Breaks on old man-db, fontconfig and readahead-fedora packages using awaiting triggers, as they produce trigger cycles. Closes: #768599 + * Escape package and architecture names on control file parsing warning, + as those get injected into a variable that is used as a format string, + and they come from the package fields, which are under user control. + Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485 + Reported by Joshua Rogers <megamansec@gmail.com>. [ Updated programs translations ] * German (Sven Joachim). diff --git a/lib/dpkg/parsehelp.c b/lib/dpkg/parsehelp.c index e091f6723..3537de1fb 100644 --- a/lib/dpkg/parsehelp.c +++ b/lib/dpkg/parsehelp.c @@ -44,11 +44,14 @@ parse_error_msg(struct parsedb_state *ps, const char *fmt) str_escape_fmt(filename, ps->filename, sizeof(filename)); - if (ps->pkg && ps->pkg->set->name) + if (ps->pkg && ps->pkg->set->name) { + char pkgname[256]; + + str_escape_fmt(pkgname, pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), + sizeof(pkgname)); sprintf(msg, _("parsing file '%.255s' near line %d package '%.255s':\n" - " %.255s"), filename, ps->lno, - pkgbin_name(ps->pkg, ps->pkgbin, pnaw_nonambig), fmt); - else + " %.255s"), filename, ps->lno, pkgname, fmt); + } else sprintf(msg, _("parsing file '%.255s' near line %d:\n" " %.255s"), filename, ps->lno, fmt); |