From f1aac7d933819569bf6f347c3c0d5a64a90bbce0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hanno=20B=C3=B6ck?= <hanno@hboeck.de>
Date: Thu, 19 Nov 2015 20:03:10 +0100
Subject: [PATCH] dpkg-deb: Fix off-by-one write access on ctrllenbuf variable

This affects old format .deb packages.

Fixes: CVE-2015-0860
Warned-by: afl
Signed-off-by: Guillem Jover <guillem@debian.org>

Upstream-Status: Backport

https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=f1aac7d933819569bf6f347c3c0d5a64a90bbce0

CVE: CVE-2015-0860

hand merge Changelog

Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 debian/changelog   | 3 +++
 dpkg-deb/extract.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

Index: dpkg-1.17.21/dpkg-deb/extract.c
===================================================================
--- dpkg-1.17.21.orig/dpkg-deb/extract.c
+++ dpkg-1.17.21/dpkg-deb/extract.c
@@ -245,7 +245,7 @@ extracthalf(const char *debar, const cha
     if (errstr)
       ohshit(_("archive has invalid format version: %s"), errstr);
 
-    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf));
+    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1);
     if (r < 0)
       read_fail(r, debar, _("archive control member size"));
     if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 ||
Index: dpkg-1.17.21/ChangeLog
===================================================================
--- dpkg-1.17.21.orig/ChangeLog
+++ dpkg-1.17.21/ChangeLog
@@ -1,3 +1,9 @@
+[ Guillem Jover ]
+  * Fix an off-by-one write access in dpkg-deb when parsing the old format
+    .deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
+    Fixes CVE-2015-0860.
+
+
 commit 6fc9e281551e0d851e38249679688bbabbad5c5f
 Author: Guillem Jover <guillem@debian.org>
 Date:   Sat Oct 25 02:24:41 2014 +0200