| Anonymous | Login | Signup for a new account | 11-10-2008 11:03 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0000939 | [BusyBox] Other | minor | always | 07-10-06 04:14 | 09-30-06 14:05 | ||||
| Reporter | bcg | View Status | public | ||||||
| Assigned To | BusyBox | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | svn | ||||||
| Summary | 0000939: dpkg has one buffer overflow and one access to free'd memory | ||||||||
| Description |
SVN 15217 breaks dpkg. It has: info_prefix = bb_xasprintf("/var/lib/dpkg/info/%s.", package_name); ...but later on the same function (unpack_package): strcat(info_prefix, "list"); Old version was ok: info_prefix = (char *) xmalloc(strlen(package_name) + 20 + 4 + 2); sprintf(info_prefix, "/var/lib/dpkg/info/%s.", package_name); There's also another bug in dpkg: If I update from foo-42-1.deb to foo-42-2.deb, dpkg accesses free'd memory. Attached is a patch to both bugs. |
||||||||
| Additional Information | |||||||||
| Attached Files |
 dpkg.patch [^] (1,116 bytes) 07-10-06 04:14 |
||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0001624) vda 09-07-06 10:20 |
strcat() is fixed now. This hunk seems to be incorrect to me: upstream_ver1 = xstrdup(ver1_ptr); upstream_ver2 = xstrdup(ver2_ptr); .... result = version_compare_part(upstream_ver1, upstream_ver2); + if (!result) + result = version_compare_part(deb_ver1, deb_ver2); free(upstream_ver1); free(upstream_ver2); - - if (result != 0) { - return(result); - } - - /* Compare debian versions */ - return(version_compare_part(deb_ver1, deb_ver2)); + return(result); } Why do you think it is correct? It seems to leak upstream_ver1/2... |
|
(0001630) bcg 09-10-06 23:52 |
The old version was something like this: upstream_ver1 = xstrdup(ver1_ptr); ... result = compare(upstream_ver1, .. free(upstream_ver1); if (!result) result = compare(upstream_ver1+something, .. ...which clearly accesses upstream_ver1 (via deb_ver1) after free(). My version is: upstream_ver1 = xstrdup(ver1_ptr); ... result = compare(upstream_ver1, .. if (!result) result = compare(upstream_ver1+something, .. free(upstream_ver1); I see no leak here, as I still have free()'s before return. My patch is just re-ordering the commands, nothing is removed. |
|
(0001672) vda 09-30-06 14:05 |
Applied as rev 16277 |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 07-10-06 04:14 | bcg | New Issue | |
| 07-10-06 04:14 | bcg | Status | new => assigned |
| 07-10-06 04:14 | bcg | Assigned To | => BusyBox |
| 07-10-06 04:14 | bcg | File Added: dpkg.patch | |
| 09-07-06 10:20 | vda | Note Added: 0001624 | |
| 09-10-06 23:52 | bcg | Note Added: 0001630 | |
| 09-30-06 14:05 | vda | Status | assigned => closed |
| 09-30-06 14:05 | vda | Note Added: 0001672 | |
| 09-30-06 14:05 | vda | Resolution | open => fixed |
| Copyright © 2000 - 2006 Mantis Group |  |
