Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.9.0 2024-02-20T12:49:04Z 2024-02-20T12:49:04Z Julian Andres Klode julian.klode@canonical.com 2024-02-20T12:43:08Z urn:sha1:40a75722c43ae24cb9a99d6730a3b25b65819c49 This was automated with sed and git-clang-format, and then I had to fix up the top of policy.cc by hand as git-clang-format accidentally indented it by two spaces. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-12-05T18:55:30Z urn:sha1:df81895bce764dd02fbb4d67b92d28a730b5281f The integer overflow was detected by DonKult who added a check like this: (std::numeric_limits<decltype(Itm.Size)>::max() - (2 * sizeof(Block))) Which deals with the code as is, but also still is a fairly big limit, and could become fragile if we change the code. Let's limit our file sizes to 128 GiB, which should be sufficient for everyone. Original comment by DonKult: The code assumes that it can add sizeof(Block)-1 to the size of the item later on, but if we are close to a 64bit overflow this is not possible. Fixing this seems too complex compared to just ensuring there is enough room left given that we will have a lot more problems the moment we will be acting on files that large as if the item is that large, the (valid) tar including it probably doesn't fit in 64bit either. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-12-04T11:37:19Z urn:sha1:822db13d68658a1a20df2d19c688c18faa331616 Tarballs have long names and long link targets structured by a special tar header with a GNU extension followed by the actual content (padded to 512 bytes). Essentially, think of a name as a special kind of file. The limit of a file size in a header is 12 bytes, aka 10**12 or 1 TB. While this works OK-ish for file content that we stream to extractors, we need to copy file names into memory, and this opens us up to an OOM DoS attack. Limit the file name size to 1 MiB, as libarchive does, to make things safer. 2020-05-18T13:55:36Z David Kalnischkies david@kalnischkies.de 2020-05-15T11:29:36Z urn:sha1:19790db8900bc9baac29cf58600152997a8ecef8 The variable this is read to is named Junk and that it is for usecases like apt-ftparchive which just looks at the items metadata, so instead of performing this hunked read for data nobody will process we just tell our FileFd to skip ahead (Internally it might still loop over the data depending on which compressor is involved). 2020-05-18T13:55:36Z David Kalnischkies david@kalnischkies.de 2020-05-13T21:01:38Z urn:sha1:5534bb3ad346ef4435e6fd0fe326771a4bde16a1 With FileFd::Write we already have a helper for this situation we can just make use of here instead of hoping for the best or rolling our own solution here. 2020-05-12T16:55:55Z Julian Andres Klode julian.klode@canonical.com 2020-05-12T09:49:09Z urn:sha1:dceb1e49e4b8e4dadaf056be34088b415939cda6 When normalizing ar member names by removing trailing whitespace and slashes, an out-out-bound read can be caused if the ar member name consists only of such characters, because the code did not stop at 0, but would wrap around and continue reading from the stack, without any limit. Add a check to abort if we reached the first character in the name, effectively rejecting the use of names consisting just of slashes and spaces. Furthermore, certain error cases in arfile.cc and extracttar.cc have included member names in the output that were not checked at all and might hence not be nul terminated, leading to further out of bound reads. Fixes Debian/apt#111 LP: #1878177 2019-05-06T10:14:04Z Julian Andres Klode julian.klode@canonical.com 2019-05-06T09:40:08Z urn:sha1:dfe2511e31f232a8a8880eba40af40d1deb0e49c