From 6610297a62c0780dd0e80b0e302ef64fdcc9d313 Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Sat, 7 Feb 2026 00:57:55 +0100 Subject: libdpkg: Terminate zstd decompression when we have no more data We should be checking whether the input buffer is zero-sized, and then mark the stream as finished. Otherwise the zstd implementation does not detect that as an end of stream situation and we get stuck in an infinite loop spinning the CPU. This means the decompression process in dpkg-deb does not terminate, so no EPIPE gets generated and the other processes that are part of the unpacking do not stop either. Reported-by: Yashashree Gund Fixes: commit 2c2f7066bd8c3209762762fa6905fa567b08ca5a Fixes: CVE-2026-2219 Closes: #1129722 Stable-Candidate: 1.21.x 1.22.x --- lib/dpkg/compress.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/dpkg/compress.c b/lib/dpkg/compress.c index ef93133cf..a370a948d 100644 --- a/lib/dpkg/compress.c +++ b/lib/dpkg/compress.c @@ -1084,6 +1084,11 @@ filter_unzstd_code(struct io_zstd *io, struct io_zstd_stream *s) ZSTD_outBuffer buf_out = { s->next_out, s->avail_out, 0 }; size_t ret; + if (buf_in.size == 0) { + s->status = DPKG_STREAM_END; + return; + } + ret = ZSTD_decompressStream(s->ctx.d, &buf_out, &buf_in); if (ZSTD_isError(ret)) filter_zstd_error(io, ret); -- cgit v1.2.3