1 files changed, 45 insertions, 0 deletions

diff --git a/app-arch/dpkg/files/dpkg-1.21.15-buf-overflow.patch b/app-arch/dpkg/files/dpkg-1.21.15-buf-overflow.patch
new file mode 100644
index 000000000000..864d57b98a5c
--- /dev/null
+++ b/app-arch/dpkg/files/dpkg-1.21.15-buf-overflow.patch
@@ -0,0 +1,45 @@
+From 5356621172d669d8f62e7e746a6c7a11345aec4e Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@debian.org>
+Date: Tue, 3 Jan 2023 23:29:05 +0100
+Subject: dpkg-deb: Fix buffer overflow on long directory names with old deb
+ formats
+
+The handling for deb 0.x formats that relocates files around once
+extracted was using a buffer with a hardcoded size, not taking into
+account the length of the directory which would overflow it.
+
+Switch to use a dynamically allocated buffer to handle any destination
+directory length.
+
+Reported-by: Georgy Yakovlev <gyakovlev@gentoo.org>
+---
+ src/deb/extract.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/deb/extract.c b/src/deb/extract.c
+index a09853962..6466fa6f2 100644
+--- a/src/deb/extract.c
++++ b/src/deb/extract.c
+@@ -53,15 +53,16 @@
+ static void
+ movecontrolfiles(const char *dir, const char *thing)
+ {
+-  char buf[200];
++  char *cmd;
+   pid_t pid;
+ 
+-  sprintf(buf, "mv %s/%s/* %s/ && rmdir %s/%s", dir, thing, dir, dir, thing);
++  cmd = str_fmt("mv %s/%s/* %s/ && rmdir %s/%s", dir, thing, dir, dir, thing);
+   pid = subproc_fork();
+   if (pid == 0) {
+-    command_shell(buf, _("shell command to move files"));
++    command_shell(cmd, _("shell command to move files"));
+   }
+   subproc_reap(pid, _("shell command to move files"), 0);
++  free(cmd);
+ }
+ 
+ static void DPKG_ATTR_NORET
+-- 
+cgit v1.2.3
+