dpkg: CVE-2014-8625: format string vulnerability

Debian Bug report logs - #768485
dpkg: CVE-2014-8625: format string vulnerability

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dpkg: format string vulnerability

Date: Fri, 7 Nov 2014 19:42:29 +0100

[Message part 1 (text/plain, inline)]

Package: dpkg
Version: 1.17.21
Tags: security

# dpkg --dry-run -i printfvuln.deb
dpkg: warning: parsing file '/tmp/dpkg.bgGIF3/control' near line 3 package 'printfvuln':
 '%42$d' is not a valid architecture name: must start with an alphanumeric
*** invalid %N$ use detected ***
Aborted


This was originally reported in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135

-- 
Jakub Wilk

[printfvuln.deb (application/vnd.debian.binary-package, attachment)]

Message #8 received at 768485@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Jakub Wilk <jwilk@debian.org>, 768485@bugs.debian.org

Subject: Re: Bug#768485: dpkg: format string vulnerability

Date: Fri, 7 Nov 2014 20:47:26 +0100

Control: found -1 1.16.2

Hi!

On Fri, 2014-11-07 at 19:42:29 +0100, Jakub Wilk wrote:
> Package: dpkg
> Version: 1.17.21
> Tags: security

> # dpkg --dry-run -i printfvuln.deb
> dpkg: warning: parsing file '/tmp/dpkg.bgGIF3/control' near line 3 package 'printfvuln':
>  '%42$d' is not a valid architecture name: must start with an alphanumeric
> *** invalid %N$ use detected ***
> Aborted
> 
> 
> This was originally reported in Ubuntu:
> https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135

Nicely spotted! And thanks for the report, I've fixed it now locally
and it will be included in the next 1.17.x release. I'll be preparing
fixed packages for stable too.

Regards,
Guillem

Message #17 received at 768485@bugs.debian.org (full text, mbox, reply):

From: Joshua Rogers <megamansec@gmail.com>

To: 768485@bugs.debian.org

Subject: Re: Bug#768485: dpkg: format string vulnerability

Date: Mon, 10 Nov 2014 01:00:56 +1100

[Message part 1 (text/plain, inline)]

On 08/11/14 06:47, Guillem Jover wrote:
> Nicely spotted! And thanks for the report, I've fixed it now locally
> and it will be included in the next 1.17.x release. I'll be preparing
> fixed packages for stable too. 
Hi Guillem,

Could you provide a patch for this bug via email?


Thanks

-- 
-- Joshua Rogers <https://internot.info/>

[signature.asc (application/pgp-signature, attachment)]

Message #22 received at 768485@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Joshua Rogers <megamansec@gmail.com>, 768485@bugs.debian.org

Cc: Jakub Wilk <jwilk@debian.org>

Subject: Re: Bug#768485: dpkg: format string vulnerability

Date: Tue, 11 Nov 2014 02:23:54 +0100

[Message part 1 (text/plain, inline)]

Hi!

On Mon, 2014-11-10 at 01:00:56 +1100, Joshua Rogers wrote:
> On 08/11/14 06:47, Guillem Jover wrote:
> > Nicely spotted! And thanks for the report, I've fixed it now locally
> > and it will be included in the next 1.17.x release. I'll be preparing
> > fixed packages for stable too. 

> Could you provide a patch for this bug via email?

Sure, attached the patch that I'll be using in principle for the
stable update (being coordinated with the security team separately).

BTW Jakub, did you find this in parallel, or simply relied the bug
filed in Launchpad? Just to give proper attribution, and if the latter
appreciated as much otherwise I'd not have noticed.

Regards,
Guillem

[0001-libdpkg-Escape-package-and-architecture-on-control-f.patch (text/x-diff, attachment)]

Message #25 received at 768485@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: 768485@bugs.debian.org

Cc: Joshua Rogers <megamansec@gmail.com>

Subject: Re: Bug#768485: dpkg: format string vulnerability

Date: Tue, 11 Nov 2014 09:09:20 +0100

* Guillem Jover <guillem@debian.org>, 2014-11-11, 02:23:
>BTW Jakub, did you find this in parallel, or simply relied the bug 
>filed in Launchpad?

The latter; all credit goes to Joshua.

-- 
Jakub Wilk

Message #30 received at 768485-submitter@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 768485-submitter@bugs.debian.org

Subject: Bug#768485 marked as pending

Date: Wed, 26 Nov 2014 20:14:55 +0000

tag 768485 pending
thanks

Hello,

Bug #768485 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=dpkg/dpkg.git;a=commitdiff;h=446f11d

---
commit 446f11df6302716c2a1f993761ee54ecb44d42bb
Author: Guillem Jover <guillem@debian.org>
Date:   Fri Nov 7 20:49:26 2014 +0100

    libdpkg: Escape package and architecture on control file parsing warning
    
    The package and architecture names are injected into a variable that is
    used as a format string. Because these are user controlled, we need to
    format-escape them so that they become inert.
    
    Regression introduced in commmit 3be2cf607868adb9a2c0e5af06f20168a072eeb6.
    
    Fixes: CVE-2014-8625
    Closes: #768485
    Reporteb-by: Joshua Rogers <megamansec@gmail.com>

diff --git a/debian/changelog b/debian/changelog
index e5f6955..a1cad38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,11 @@ dpkg (1.17.22) UNRELEASED; urgency=low
     so this got removed prematurely.
   * Add Breaks on old man-db, fontconfig and readahead-fedora packages using
     awaiting triggers, as they produce trigger cycles. Closes: #768599
+  * Escape package and architecture names on control file parsing warning,
+    as those get injected into a variable that is used as a format string,
+    and they come from the package fields, which are under user control.
+    Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
+    Reported by Joshua Rogers <megamansec@gmail.com>.
 
   [ Updated programs translations ]
   * German (Sven Joachim).

Message #35 received at 768485-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 768485-close@bugs.debian.org

Subject: Bug#768485: fixed in dpkg 1.17.22

Date: Fri, 28 Nov 2014 03:19:16 +0000

Source: dpkg
Source-Version: 1.17.22

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768485@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 28 Nov 2014 02:02:34 +0100
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source all
Version: 1.17.22
Distribution: unstable
Urgency: low
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 752123 766724 766758 767573 767918 767934 768485 768599 768852 769119 769211 769843 770280 771237 771255 771256
Changes:
 dpkg (1.17.22) unstable; urgency=low
 .
   [ Guillem Jover ]
   * Add version introducing --ctrl-tarfile in dpkg-deb(1) man page.
   * Bump minimal version for dir_to_symlink and symlink_to_dir commands
     to 1.17.14 in dpkg-maintscript-helper(1) man page. Closes: #769843
   * Reintroduce update-alternatives, dpkg-divert and dpkg-statoverride
     compatibility symlinks under /usr/sbin/. There are still packages
     using those paths, but the relevant lintian check did not list any,
     so this got removed prematurely.
   * Add Breaks on old man-db, fontconfig and readahead-fedora packages using
     awaiting triggers, as they produce trigger cycles. Closes: #768599
   * Escape package and architecture names on control file parsing warning,
     as those get injected into a variable that is used as a format string,
     and they come from the package fields, which are under user control.
     Regression introduced in dpkg 1.16.0. Fixes CVE-2014-8625. Closes: #768485
     Reported by Joshua Rogers <megamansec@gmail.com>.
   * Do not match partial field names in control files. Closes: #769119
     Regression introduced in dpkg 1.10.
   * Fix build on Mac OS X. Regression introduced in dpkg 1.17.11.
     Reported by Dominyk Tiller <dominyktiller@gmail.com>.
   * Normalize tar entry uid and gid from the current system only in dpkg
     unpack. Regression introduced in dpkg 1.17.14. Closes: #769211
   * Restore multiple processing instances check for packages and archives
     specified on the command-line. Regression introduced in dpkg 1.17.20.
   * Fail on trigger processing when it is required to progress. Trigger
     processing is sometimes required and sometimes opportunistic, and we
     should only fail on the former but ignore the latter. Closes: #768852
   * Do not ignore trigger cycles for direct dependencies, these are just
     normal trigger cycles, and as such should not be special cased.
   * Register all pending triggers for deferred processing when being called
     as «dpkg --configure pkgname…». This is a mostly conformant workaround
     for frontends like apt that do not correctly call «dpkg --configure -a»
     or «dpkg --triggers-only -a» after their normal runs, and leave packages
     in triggers-pending and triggers-awaited states. Closes: #766758
 .
   [ Updated programs translations ]
   * Catalan (Guillem Jover).
   * Danish (Joe Dalton).
   * French (Sébastien Poher).
   * German (Sven Joachim).
   * Japanese (Kenshi Muto). Closes: #771255
   * Polish (Łukasz Dulny).
   * Simplified Chinese (Zhou Mo). Closes: #766724, #770280
   * Swedish (Peter Krefting).
   * Turkish (Mert Dirik).
   * Vietnamese (Trần Ngọc Quân)
 .
   [ Updated scripts translations ]
   * French (Sébastien Poher).
   * German (Helge Kreutzmann).
   * Swedish (Peter Krefting).
 .
   [ Updated manpages translations ]
   * French (Sébastien Poher). Closes: #767934
   * German (Helge Kreutzmann). Closes: #752123
   * Simplified Chinese (Zhou Mo). Closes: #767573
   * Swedish (Peter Krefting).
 .
   [ Updated dselect translations ]
   * Danish (Joe Dalton).
   * Dutch (Frans Spiesschaert). Closes: #771237
   * French (Sébastien Poher). Closes: #767918
   * Japanese (Kenshi Muto). Closes: #771256
   * Swedish (Peter Krefting).
Checksums-Sha1:
 21507f78265a433132704b01601a5e8771809601 2057 dpkg_1.17.22.dsc
 3ebdd854b7864f699cf7d5b7ae815dfdf77f3c2c 4361648 dpkg_1.17.22.tar.xz
 da56f069f0f98fa80b201e94de7da8359ea53977 1514060 dpkg-dev_1.17.22_all.deb
 e9c1553165deda307d95f278877838b4b31d9b15 1042412 libdpkg-perl_1.17.22_all.deb
Checksums-Sha256:
 674b74e45f757f90fe0f22933bdeb5cea121febd46b9d56b9a3a028f4ac6e005 2057 dpkg_1.17.22.dsc
 389b2b2fdb6c8946a4cff737c6921e707074cfee249b3803202e3c8e1360c5f3 4361648 dpkg_1.17.22.tar.xz
 5296ab2e31bf4eea912cc56dc983bd4732fde3f2ddcd182e86c6d665019aa905 1514060 dpkg-dev_1.17.22_all.deb
 48fd415760df7b073eaa8cd397607028e4686fc444064f7fa04c5a5b302d9f8c 1042412 libdpkg-perl_1.17.22_all.deb
Files:
 0ec774870ab98d8eb7fd716e8297d71a 2057 admin required dpkg_1.17.22.dsc
 c9c46c5318c98c9162fbd03d24f2f95b 4361648 admin required dpkg_1.17.22.tar.xz
 b52c79006cb483141d26395f189efd74 1514060 utils optional dpkg-dev_1.17.22_all.deb
 150b889a638b89f4f0b363efc149de44 1042412 perl optional libdpkg-perl_1.17.22_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUd9I7AAoJELlyvz6krlejI/YQALNwJpc4YJUkwNQh6dPX56fy
627GJtUrM9aDLkvgdmuraHvk5TSBTIZbinG9OJTe1gZhMAqG9rqlQu/GHLHuLMU+
0JjlswBQF2lc9qg8WUz83x/FMpRZpRbDW2LprckDsqrTmF69FxmO1pmr/WNT1D16
yLl0e8/OTOOIf7yeLjqrEY53bWzTQ76xcVYp7T5BBDJYtY+2YtAQm2rQb0s+J8CO
2uoPp+9yuJTHUXBajAVUC0GChAnuvcwqV51L5uE8sG1VeNBtJ1feIcZKQlbuxe4c
iSm+vB/SueVFNOXq1oBDLf1d8lYsAS/TchvvJgHteljC5pUcsexjE8im68hswT9x
Ooqq9Reb3Fpf5q285ZrKTxH3XVp/l/nDl/QGqYX/VoPv26TwQriM9P1MtyUILQnx
zblQPYRWNL/K+VBFFPjfx4DIb1muqPdwtM47gvtCX1kFG1LRJNUEKwL2AvWWeXuj
r7p8t6nzohCXVdvbP/BZsHMiS6kmp5IgrWojkNl821dHeYTNKhrwDMpKd4nvk5g8
97dVrIJo8TW1Gfv+vi/JxnCvUOEXrOaUaMBHUXN4C92GZ3Ckk4FhdtFz+1ry0ncj
UnzT953jfTWE6ekrV/mMBo2S/rCc8gXM7c7JuUjIBtjFNrA/uQMq1BUKQ0MngFOR
NxkIJ4b0SsV2kLtlyZOf
=iF5C
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.