[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: gvpe, the GNU Virtual Private Ethernet daemon

> On 2009-06-12, Jonathan Wiltshire <debian@jwiltshire.org.uk> wrote:
> > I am seeking a sponsor for this new package, gvpe. It builds an secure
> > virtual ethernet between multiple endpoints and gateways, rather than a
> > straight end-to-end VPN tunnel. This makes it more resilient to failures
> > of individual nodes participating in the network. I filed an RFP
> > originally, but I've since packaged it for my own use and had it running
> > with no problems for some months, so I believe it's stable enough for
> > the archive.
> i'd like to sponsor this package but gvpe has the security idiosyncrasy
> of selecting a single symmetric cipher and digest algorithm at compile
> time, and i'm afraid one of the first bugs filed would be a request for
> more than one cipher/digest combination.
> if you're ok with my changes to the package i'd like to sponsor it:
>     http://people.debian.org/~edmonds/gvpe/gvpe_2.22-1.dsc


Jonathan asked me to review this packages some days ago, so here is what I run 
into till that moment:

GVPE looks like a fork of tinc which is already in Debian (or at least shares 
some code with it), and its source tree carries libev (by the same author) 
instead of linking with the libev library provided as a separate package and 
already uploaded in Debian. Unfortunately, code dups, also means (security) 
bugs dups, like that conditional `devision by zero' in ev_select.c line 105 
which seems to be windows-specific (NFBITS previously and conditionally defined 
as 0).

Also, this would properly deallocate a previously dynamically allocated array 
(as found by cppcheck, another package I'm looking at;-)

--- src/slog.C.orig     2009-06-24 23:35:27.000000000 +0300
+++ src/slog.C  2009-06-24 23:35:42.000000000 +0300
@@ -97,7 +97,7 @@
           write (2, "\n", 1);

-      delete msg;
+      delete[] msg;

pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>

Reply to: