Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.

To: Matthew Fernandez <matthew.fernandez@gmail.com>, Mattia Rizzolo <mattia@debian.org>, 961429@bugs.debian.org
Subject: Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
From: Vasyl Gello <vasek.gello@gmail.com>
Date: Wed, 27 May 2020 06:46:42 +0000
Message-id: <[🔎] DF39A854-C358-4332-9A1E-A5D1586E072C@gmail.com>
Reply-to: Vasyl Gello <vasek.gello@gmail.com>, 961429@bugs.debian.org
In-reply-to: <[🔎] 3FE05448-A971-44C4-AA7E-D66DCE51D110@gmail.com>
References: <[🔎] E731510E-E4C0-4662-9457-DAAD5768FEB2@gmail.com> <[🔎] E731510E-E4C0-4662-9457-DAAD5768FEB2@gmail.com> <[🔎] 20200526221055.GH1082784@mapreri.org> <[🔎] 3FE05448-A971-44C4-AA7E-D66DCE51D110@gmail.com> <[🔎] E731510E-E4C0-4662-9457-DAAD5768FEB2@gmail.com>

Hi Matthew!

>This prompted me to take a quick look at the source. There are multiple trivially exploitable buffer overflows in this code. E.g. src/cryptopass.c:147-149 [0]:
>
>    usernamelen = strlen(argv[1]);
>
>    memcpy(username, argv[1], usernamelen);
>
>You could argue this program is only intended to receive input from a trusted user, but is a user meant to comprehend that passing large command line arguments results in memory corruption? Obviously everyone is free to develop code how they like, but IMHO security packages should be using fuzz testing, that would easily find this issue. AFAICT this code base has no test suite. I would suggest adding one as well as fuzzing this code before exposing the downstream public to it.
>
>  [0]: https://github.com/basilgello/cryptopass/blob/master/src/cryptopass.c#L147-L149

Ouch! That was kinda chilling! :) Finding bugs for others does not guarantee yourself from doing your own ones.

> I would suggest adding one as well as fuzzing this code before exposing the downstream public to it.

Will fix the issues and add testsuite && fuzzcorp ASAP.

BTW I fixed all the stuff GCC 8.3.0 reported me with FORTIFY_SOURCE=2 before pushing code to GitHub.
Did you use GCC 10?

Cheers,
-- 
Vasyl Gello

Reply to:

Follow-Ups:
- Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
  - From: Mattia Rizzolo <mattia@debian.org>
- Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
  - From: Matthew Fernandez <matthew.fernandez@gmail.com>

References:
- Bug#961429: Subject: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
  - From: Vasyl Gello <vasek.gello@gmail.com>
- Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
  - From: Mattia Rizzolo <mattia@debian.org>
- Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
  - From: Matthew Fernandez <matthew.fernandez@gmail.com>

Prev by Date: Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
Next by Date: Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
Previous by thread: Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
Next by thread: Bug#961429: RFS: cryptopass/1.0.0-1 [ITP] -- CLI utility for generating long, unguessable passwords.
Index(es):
- Date
- Thread