Monday, 10 November 2014

`dpkg' format string vulnerability. CVE-2014-8625

A few days ago, I found a strange/stupid vulnerability in dpkg.

Dpkg is the package manager for Debian-based operation systems, such as Ubuntu.
It handles .deb files.

When creating a dpkg package / .deb a file, a 'control file' must be made. This includes information about the package, such as the package name, description of package, maintainer(s), and version of the package.

That control file is used to display the information before the package is installed.

I found that in the "Architecture" part of the control file, you could put formatting strings, such as %s, %d, etc., and it would output the stack pointer.

For my control file, I have this:

Package: backup
Architecture: %08x.%08x.%08x.%08x.%08x\n
Description: Stuff
maintainer: Joshua Rogers
Version: 1

When building the package, I receive this warning:

dpkg-deb: warning: parsing file 'folder//DEBIAN/control' near line 2 package 'backup:01485120.00415cf8.00000001.00000001.0000001c\n':
Description: Stuff

01485120.00415cf8 is the stack pointers

The thing about this is, is that it actually builds the package.
So, we have a working deb file with this bug in it.(found here:

Now that we've got a working .deb file, processing of it will cause the vulnerability to trigger.

Using the '--dry-run' flag in dpkg, which isn't supposed to do anything:

       --no-act, --dry-run, --simulate
              Do everything which is supposed to be done, but don't write any changes. This is used to see what would happen with the specified action, without actually modifying anything.

, the vulnerability will still execute.

Since "dpkg --dry-run -i" requires to be run by root, you could probably root a system using this.

# dpkg --dry-run -i folder.deb
dpkg: warning: parsing file '/tmp/dpkg.XuLMM7/control' near line 2 package 'backup:01e143c0.00431828.00000001.00000001.0000001c\n':
Description: Stuff
maintainer: Joshua Rogers

The attack vector is low, because normally people download .deb files to install them. If they install the .deb file, it may just contain a trojan or something along the lines of that. (tl;dr: don't install random .deb files you find).
But, if you're looking to analyze .deb files you find, this may be harmful.

The vulnerable function, "parse_error_msg([...])" is called in many more places than just -i.

The bug was assigned the CVE-ID: CVE-2014-8625.
Original bug report:
Debian bug report: