Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.1.8 2020-05-18T13:55:36Z 2020-05-18T13:55:36Z David Kalnischkies david@kalnischkies.de 2020-05-15T11:29:36Z urn:sha1:19790db8900bc9baac29cf58600152997a8ecef8 The variable this is read to is named Junk and that it is for usecases like apt-ftparchive which just looks at the items metadata, so instead of performing this hunked read for data nobody will process we just tell our FileFd to skip ahead (Internally it might still loop over the data depending on which compressor is involved). 2020-05-18T13:55:36Z David Kalnischkies david@kalnischkies.de 2020-05-13T21:01:38Z urn:sha1:5534bb3ad346ef4435e6fd0fe326771a4bde16a1 With FileFd::Write we already have a helper for this situation we can just make use of here instead of hoping for the best or rolling our own solution here. 2020-05-12T16:55:55Z Julian Andres Klode julian.klode@canonical.com 2020-05-12T09:49:09Z urn:sha1:dceb1e49e4b8e4dadaf056be34088b415939cda6 When normalizing ar member names by removing trailing whitespace and slashes, an out-out-bound read can be caused if the ar member name consists only of such characters, because the code did not stop at 0, but would wrap around and continue reading from the stack, without any limit. Add a check to abort if we reached the first character in the name, effectively rejecting the use of names consisting just of slashes and spaces. Furthermore, certain error cases in arfile.cc and extracttar.cc have included member names in the output that were not checked at all and might hence not be nul terminated, leading to further out of bound reads. Fixes Debian/apt#111 LP: #1878177 2019-05-06T10:14:04Z Julian Andres Klode julian.klode@canonical.com 2019-05-06T09:40:08Z urn:sha1:dfe2511e31f232a8a8880eba40af40d1deb0e49c