Subject: pkg/36773: pointer bug in audit-packages
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <dholland@eecs.harvard.edu>
List: pkgsrc-bugs
Date: 08/12/2007 06:50:00
>Number: 36773
>Category: pkg
>Synopsis: pointer bug in audit-packages
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Aug 12 06:50:00 +0000 2007
>Originator: David A. Holland <dholland@eecs.harvard.edu>
>Release: NetBSD 4.99.20 (pkgsrc 20070811)
>Organization:
Harvard EECS
>Environment:
System: NetBSD tanaqui 4.99.20 NetBSD 4.99.20 (TANAQUI) #17: Thu Jul 5 23:22:29 EDT 2007 root@tanaqui:/usr/src/sys/arch/i386/compile/TANAQUI i386
Architecture: i386
Machine: i386
>Description:
I used to have a neatly formatted multi-line IGNORE_URLS setting in
audit-packages.conf; it broke, so I was looking at the config parser,
and in the course of doing so I spotted a bug.
If you set GPG in the config file, because clean_conf() does not
return a fresh string as its return value, verify_bin ends up pointing
into the line buffer. This probably has undesirable results.
>How-To-Repeat:
Try setting GPG= and then some other variable. I haven't actually
tried this though - I only read the code.
>Fix:
Index: audit-packages.c
===================================================================
RCS file: /cvsroot/pkgsrc/pkgtools/pkg_install/files/audit-packages/audit-packages.c,v
retrieving revision 1.9
diff -u -r1.9 audit-packages.c
--- audit-packages.c 10 Aug 2007 22:50:46 -0000 1.9
+++ audit-packages.c 12 Aug 2007 06:39:57 -0000
@@ -637,7 +637,7 @@
else if (strncmp(line, "GPG", 3) == 0) {
retval = clean_conf(line);
if (retval != NULL)
- verify_bin = retval;
+ verify_bin = safe_strdup(retval);
}
else if (strncmp(line, "PKGVULNDIR", 9) == 0) {
retval = clean_conf(line);