Skip to content

fix: bound debian ParseControlFile to a single control stanza (#38044)#38055

Merged
bircni merged 2 commits into
go-gitea:release/v1.26from
GiteaBot:backport-38044-v1.26
Jun 14, 2026
Merged

fix: bound debian ParseControlFile to a single control stanza (#38044)#38055
bircni merged 2 commits into
go-gitea:release/v1.26from
GiteaBot:backport-38044-v1.26

Conversation

@GiteaBot

@GiteaBot GiteaBot commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Backport #38044 by @metsw24-max

Packages-index stanza injection via Debian control file

A .deb whose control file appends extra paragraphs after a blank line was still accepted, and ParseControlFile stored the whole multi-stanza blob in p.Control. That blob is re-emitted verbatim into the generated Packages index, so the embedded blank line splits it into separate stanzas and an uploader can smuggle a package entry with an attacker-chosen Filename into the shared index. A binary control file only holds one stanza, so parsing now stops at the blank line that terminates it; well-formed packages are unaffected and the new subtest covers the trailing-stanza case.

@metsw24-max @wxiaoguang @GiteaBot
fix: bound debian ParseControlFile to a single control stanza (go-git…
4716896 
…ea#38044)

**Packages-index stanza injection via Debian control file**

A `.deb` whose `control` file appends extra paragraphs after a blank
line was still accepted, and `ParseControlFile` stored the whole
multi-stanza blob in `p.Control`. That blob is re-emitted verbatim into
the generated `Packages` index, so the embedded blank line splits it
into separate stanzas and an uploader can smuggle a package entry with
an attacker-chosen `Filename` into the shared index. A binary control
file only holds one stanza, so parsing now stops at the blank line that
terminates it; well-formed packages are unaffected and the new subtest
covers the trailing-stanza case.

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBot GiteaBot added agentscan:automated-account type/bug lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 10, 2026
@GiteaBot GiteaBot requested a review from lunny June 10, 2026 03:28
@GiteaBot GiteaBot added this to the 1.26.3 milestone Jun 10, 2026
@GiteaBot GiteaBot requested a review from wxiaoguang June 10, 2026 03:28
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 10, 2026
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 14, 2026
@bircni bircni enabled auto-merge (squash) June 14, 2026 14:08
@bircni bircni merged commit 9b8bfdc into go-gitea:release/v1.26 Jun 14, 2026
27 of 28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@delvh delvh delvh approved these changes

@bircni bircni bircni approved these changes

@wxiaoguang wxiaoguang Awaiting requested review from wxiaoguang

Assignees

No one assigned

Labels

agentscan:automated-account lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug

Projects

None yet

Milestone

1.26.3

Development

Successfully merging this pull request may close these issues.

5 participants

@GiteaBot @lunny @delvh @bircni @metsw24-max