Re: RFS: gvpe, the GNU Virtual Private Ethernet daemon
> On 2009-06-12, Jonathan Wiltshire <debian@jwiltshire.org.uk> wrote:
> > I am seeking a sponsor for this new package, gvpe. It builds an secure
> > virtual ethernet between multiple endpoints and gateways, rather than a
> > straight end-to-end VPN tunnel. This makes it more resilient to failures
> > of individual nodes participating in the network. I filed an RFP
> > originally, but I've since packaged it for my own use and had it running
> > with no problems for some months, so I believe it's stable enough for
> > the archive.
>
> i'd like to sponsor this package but gvpe has the security idiosyncrasy
> of selecting a single symmetric cipher and digest algorithm at compile
> time, and i'm afraid one of the first bugs filed would be a request for
> more than one cipher/digest combination.
>
> if you're ok with my changes to the package i'd like to sponsor it:
>
> http://people.debian.org/~edmonds/gvpe/gvpe_2.22-1.dsc
Hi,
Jonathan asked me to review this packages some days ago, so here is what I run
into till that moment:
GVPE looks like a fork of tinc which is already in Debian (or at least shares
some code with it), and its source tree carries libev (by the same author)
instead of linking with the libev library provided as a separate package and
already uploaded in Debian. Unfortunately, code dups, also means (security)
bugs dups, like that conditional `devision by zero' in ev_select.c line 105
which seems to be windows-specific (NFBITS previously and conditionally defined
as 0).
Also, this would properly deallocate a previously dynamically allocated array
(as found by cppcheck, another package I'm looking at;-)
--- src/slog.C.orig 2009-06-24 23:35:27.000000000 +0300
+++ src/slog.C 2009-06-24 23:35:42.000000000 +0300
@@ -97,7 +97,7 @@
write (2, "\n", 1);
}
- delete msg;
+ delete[] msg;
}
}
--
pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>
Reply to: