CVE-2020-27350

Name	CVE-2020-27350
Description	APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2487-1, DSA-4808-1, ELA-344-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
apt (PTS)	jessie, jessie (lts)	1.0.9.8.7	fixed
	stretch (security), stretch (lts), stretch	1.4.11	fixed
	buster	1.8.2.3	fixed
	buster (security), buster (lts)	1.8.2.2	fixed
	bullseye	2.2.4	fixed
	bookworm	2.6.1	fixed
	trixie	2.9.10	fixed
	sid	2.9.14	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
apt	source	jessie	1.0.9.8.7	ELA-344-1
apt	source	stretch	1.4.11	DLA-2487-1
apt	source	buster	1.8.2.2	DSA-4808-1
apt	source	(unstable)	2.1.13

https://bugs.launchpad.net/bugs/1899193