Bug#845438: pbuilder: bogus filename output, possible format string vulnerability
Thorsten Glaser
tg at mirbsd.de
Wed Nov 23 11:25:05 UTC 2016
Package: pbuilder
Version: 0.226.1
Severity: important
I: new cache content 'x11-common_10x0p+07.7+17_all.deb' added
-rw-r--r-- 1 root root 251250 Nov 23 00:40 /var/cache/pbuilder/aptcache-debian/x11-common_1%3a7.7+17_all.deb
I am assuming '%3a' is interpreted by printf(1) here.
Never pass user strings as printf format strings…
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages pbuilder depends on:
ii debconf [debconf-2.0] 1.5.59
ii debootstrap 1.0.87
ii dpkg-dev 1.18.15
ii wget 1.18-4
Versions of packages pbuilder recommends:
ii devscripts 2.16.8
ii eatmydata 105-5
ii fakeroot 1.21-2
ii iproute2 4.8.0-1
ii net-tools 1.60+git20150829.73cef8a-2
ii sudo 1.8.17p1-2
Versions of packages pbuilder suggests:
ii cowdancer 0.81
pn gdebi-core <none>
-- debconf information excluded
More information about the Pbuilder-maint
mailing list