Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 26 Nov 2015 21:25:40 +0100
From: Hanno Böck <>
To: oss-security <>
Subject: Stack overflows and out of bounds read in dpkg (Debian)

Two stack overflows and one stack out of bounds access were fixed in
dpkg, the package management tool from Debian.

A call to the function read_line didn't consider a trailing zero byte
in the target buffer and thus could cause a one byte stack overflow
with a zero byte. This issue was already fixed in the testing code when
I reported it, but the fix wasn't backported to stable yet.
Git commit / fix
Minimal PoC file

A second almost identical stack overflow due to a call to the function
read_line was in the same file.
Minimal PoC file
These issues got the id CVE-2015-0860.

A stack out of bounds read can happen in the function
dpkg_ar_normalize_name. There is a read access to an array where the
index can have the value -1. A check if the index is a positive value
fixes this.
Minimal PoC file

All issues were found with the help of american fuzzy lop and address
Debian has published the advisory DSA 3407-1. Fixes packages for both
stable (Jessie) and oldstable (Wheezy) have been published.
Ubuntu has published the advisory USN-2820-1. Fixed packages for Ubuntu
15.10, 15.04 and the LTS versions 14.04 and 12.04 have been published.

All users of Ubuntu, Debian and other dpkg/apt-based distributions
should update.

Hanno Böck


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ