pkg/59827: pkg_install dewey does not handle integer overflow

To: pkg-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/59827: pkg_install dewey does not handle integer overflow
From: jperkin%pkgsrc.org@localhost
Date: Tue, 9 Dec 2025 15:30:01 +0000 (UTC)

>Number:         59827
>Category:       pkg
>Synopsis:       pkg_install dewey does not handle integer overflow
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 09 15:30:00 +0000 2025
>Originator:     Jonathan Perkin
>Release:        
>Organization:
>Environment:
>Description:
While improving pkgsrc-rs a while back I fixed an issue with handling potentially large integers in version numbers:

https://github.com/jperkin/pkgsrc-rs/commit/23dc7e3

pkg_install is also vulnerable.
>How-To-Repeat:
While clearly highly unlikely, I don't think it's completely outside the bounds of possibility that someone somewhere may for example have a version number that includes a timestamp with sub-second granularity, which leads to this failure:

$ pkg_admin pmatch 'pkg>=1.20251209152135' pkg-1.0 && echo WRONG || echo fine
fine
$ pkg_admin pmatch 'pkg>=1.20251209152135000' pkg-1.0 && echo WRONG || echo fine
WRONG
>Fix:

Prev by Date: pkg/59822: the pkgsrc guide is missing many compiler/target/OS macros
Next by Date: PR/59820 CVS commit: pkgsrc/emulators/qemu
Previous by Thread: pkg/59822: the pkgsrc guide is missing many compiler/target/OS macros
Next by Thread: PR/59820 CVS commit: pkgsrc/emulators/qemu
Indexes:

Home | Main Index | Thread Index | Old Index