Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-38172: Re: Autopkgtest for perm

perM 0.4.0 has a Buffer Overflow related to strncpy. (Debian initially fixed this in 0.4.0-7.)

CVE
Open in Source
#debian#git

On 8/2/21 6:30 PM, Andreas Tille wrote:

Hi Shruti,

On Mon, Aug 02, 2021 at 04:50:36PM +0530, Shruti Sridhar wrote:

I have written autopkgtests for perm[1]

The package initially failed blhc in the pipeline but when I fixed the error [2]

Congratulations, you found a security issue as it seems. I’m happy that enabling blhc is doing a sensible job

the autopkgtest which was initially working fails [3].

The autopkgtest says:

Info 3: Sortubg buckets using 2 CPUs . *** buffer overflow detected ***: terminated Info 3: Successfully made the index

My guess is that enabling hardening options has uncovered some memory leak. I’d recommend firing up gdb and try finding the issue.

The basic problem is that it has several instances of strcpy and sprintf, which are famously known for causing buffer overflows.

I think the sensible option is to replace these with strlcpy and strcat when needed.

But the problem is that the code needs a lot of refactoring, rewriting and debugging to get these things in properly. So I am tempted to say that we should consider to remove perm from the archive. Upstream is dead, and I do not think it is worth keeping this in anymore

What do you think?

Nilesh

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

  • [email protected]

  • Nilesh Patra (on-list)

  • Nilesh Patra (off-list)

  • Follow-Ups:

  • References:

  • Prev by Date: Re: Autopkgtest for perm

  • Next by Date: Re: Autopkgtest for perm

  • Previous by thread: Re: Autopkgtest for perm

  • Next by thread: Re: Autopkgtest for perm

  • Index(es):

    • Date
    • Thread

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE