Re: Re: CVE-Request: dpkg handling of 'control' and warnings format string vulnerability

[Joshua Rogers <oss () internot info>]

On 08/11/14 00:14, Sven Kieske wrote:
> to quote the man page of dpkg:
>
> > --no-act, --dry-run, --simulate Do everything which is supposed to
> > be done, but don't write any changes. This is used to see what
> > would happen with the specified action, without actually modifying
> > anything.
> So the users assumes this does not "modify anything"
> and if I understood this bug correct this gives at least
> access to the stack and allows to write/read memory.
Yes, you understood the bug correctly.

In reality, the vuln/bug is not a huge one. People _normally_ download
.deb files to install them.
But in some cases, that isn't always true.
If the bug was triggered before apt's signature handling, then it could
be a huge one. But it isn't(I'm guessing...)

And as I said, what if another program that, for example, integrates
with a browser, uses dpkg to analyze the .deb file.

The bug itself isn't confined to the -i flag either. It's in the
handling of the warnings. i.e very easy to trigger.

I'm taking a guess here, and going to say that there are other ways of
passing  arbitrary strings to the warning function. I may be wrong though.


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>