summaryrefslogtreecommitdiff
path: root/apt-pkg/contrib
diff options
context:
space:
mode:
authorJulian Andres Klode <julian.klode@canonical.com>2020-10-19 13:22:33 +0200
committerJulian Andres Klode <julian.klode@canonical.com>2020-12-09 17:30:43 +0100
commitd10c68d628fe5342d400a999a6d10c5c7c0cef41 (patch)
treef858d3f30db857e847205ff3b31cea886c48a2fe /apt-pkg/contrib
parentf9a621d335622a8909177f6d347e32e3876fde3f (diff)
CVE-2020-27350: arfile: Integer overflow in parsing
GHSL-2020-169: This first hunk adds a check that we have more files left to read in the file than the size of the member, ensuring that (a) the number is not negative, which caused the crash here and (b) ensures that we similarly avoid other issues with trying to read too much data. GHSL-2020-168: Long file names are encoded by a special marker in the filename and then the real filename is part of what is normally the data. We did not check that the length of the file name is within the length of the member, which means that we got a overflow later when subtracting the length from the member size to get the remaining member size. The file createdeb-lp1899193.cc was provided by GitHub Security Lab and reformatted using apt coding style for inclusion in the test case, both of these issues have an automated test case in test/integration/test-ubuntu-bug-1899193-security-issues. LP: #1899193
Diffstat (limited to 'apt-pkg/contrib')
-rw-r--r--apt-pkg/contrib/arfile.cc14
1 files changed, 13 insertions, 1 deletions
diff --git a/apt-pkg/contrib/arfile.cc b/apt-pkg/contrib/arfile.cc
index 5cb43c690..6d4a1f158 100644
--- a/apt-pkg/contrib/arfile.cc
+++ b/apt-pkg/contrib/arfile.cc
@@ -94,7 +94,12 @@ bool ARArchive::LoadHeaders()
delete Memb;
return _error->Error(_("Invalid archive member header"));
}
-
+
+ if (Left < 0 || Memb->Size > static_cast<unsigned long long>(Left))
+ {
+ delete Memb;
+ return _error->Error(_("Invalid archive member header"));
+ }
// Check for an extra long name string
if (memcmp(Head.Name,"#1/",3) == 0)
{
@@ -106,6 +111,13 @@ bool ARArchive::LoadHeaders()
delete Memb;
return _error->Error(_("Invalid archive member header"));
}
+
+ if (Len > Memb->Size)
+ {
+ delete Memb;
+ return _error->Error(_("Invalid archive member header"));
+ }
+
if (File.Read(S,Len) == false)
{
delete Memb;