NetBSD Problem Report #59827
From www@netbsd.org Tue Dec 9 15:26:31 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 6F5081A9239
for <gnats-bugs@gnats.NetBSD.org>; Tue, 9 Dec 2025 15:26:31 +0000 (UTC)
Message-Id: <20251209152630.639A21A923A@mollari.NetBSD.org>
Date: Tue, 9 Dec 2025 15:26:30 +0000 (UTC)
From: jperkin@pkgsrc.org
Reply-To: jperkin@pkgsrc.org
To: gnats-bugs@NetBSD.org
Subject: pkg_install dewey does not handle integer overflow
X-Send-Pr-Version: www-1.0
>Number: 59827
>Category: pkg
>Synopsis: pkg_install dewey does not handle integer overflow
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 09 15:30:00 +0000 2025
>Originator: Jonathan Perkin
>Release:
>Organization:
>Environment:
>Description:
While improving pkgsrc-rs a while back I fixed an issue with handling potentially large integers in version numbers:
https://github.com/jperkin/pkgsrc-rs/commit/23dc7e3
pkg_install is also vulnerable.
>How-To-Repeat:
While clearly highly unlikely, I don't think it's completely outside the bounds of possibility that someone somewhere may for example have a version number that includes a timestamp with sub-second granularity, which leads to this failure:
$ pkg_admin pmatch 'pkg>=1.20251209152135' pkg-1.0 && echo WRONG || echo fine
fine
$ pkg_admin pmatch 'pkg>=1.20251209152135000' pkg-1.0 && echo WRONG || echo fine
WRONG
>Fix:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home