Vigil@nce - Ubuntu dpkg: memory corruption via the Architecture fields of package file
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a memory corruption in dpkg via the
Architecture field of the package control file, in order to
trigger a denial of service, and possibly to execute code.
Impacted products: Ubuntu
Severity: 1/4
Creation date: 06/11/2014
Revision date: 07/11/2014
DESCRIPTION OF THE VULNERABILITY
Dpkg is the low level package management tool of Debian based
distributions.
The C function is used to display warnings about invalid content
of the package control file. It uses printf-like formats. However,
the format functions are called directly with the field read in
the package control file.So, the package author can use conversion
codes to read or corrupt the process stack.
An attacker can therefore generate a memory corruption in dpkg via
the Architecture field of the package control file, in order to
trigger a denial of service, and possibly to execute code.
Note: the bug seems to be a vulnerability only if the incorrect
function is also called in commands used to query the package
content. (In other cases, dpkg already normally runs code from the
package.)
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN