On 8/2/21 6:30 PM, Andreas Tille wrote: > Hi Shruti, > > On Mon, Aug 02, 2021 at 04:50:36PM +0530, Shruti Sridhar wrote: >> I have written autopkgtests for perm[1] >> >> The package initially failed blhc in the pipeline but when I fixed the >> error [2] Congratulations, you found a security issue as it seems. I'm happy that enabling blhc is doing a sensible job >> the autopkgtest which was initially working fails [3]. > > The autopkgtest says: > > Info 3: Sortubg buckets using 2 CPUs . > *** buffer overflow detected ***: terminated > Info 3: Successfully made the index > > My guess is that enabling hardening options has uncovered some memory leak. > I'd recommend firing up gdb and try finding the issue. The basic problem is that it has several instances of strcpy and sprintf, which are famously known for causing buffer overflows. I think the sensible option is to replace these with strlcpy and strcat when needed. But the problem is that the code needs a lot of refactoring, rewriting and debugging to get these things in properly. So I am tempted to say that we should consider to remove perm from the archive. Upstream is dead, and I do not think it is worth keeping this in anymore What do you think? Nilesh
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature