Bug#858178: uuidcdef: buffer overflow

To: 858178@bugs.debian.org
Subject: Bug#858178: uuidcdef: buffer overflow
From: Chris West <solo-debianbugs@goeswhere.com>
Date: Mon, 15 May 2017 08:33:06 +0100
Message-id: <[🔎] 20170515073306.GA415@blind.goeswhere.com>
Reply-to: Chris West <solo-debianbugs@goeswhere.com>, 858178@bugs.debian.org

tags 858178 + patch
thanks

This is correctly diagnosing a buffer which is to small.
The length of data written to the buffer is always constant,
(20 bytes more than the length of the buffer), and not under
user control, so there is probably not a security problem here.

A patch, to increase the length of the buffer, is attached.

--- xplc-0.3.13.orig/uuid/bin/uuidgen.c
+++ xplc-0.3.13/uuid/bin/uuidgen.c
@@ -239,7 +239,7 @@ int parse_conf(int argc, char** argv, st
 
 
 typedef const char* (*uuid_output_fn_t)(const uuid_t);
-static char uuid_unparse_buf[60];
+static char uuid_unparse_buf[80];
 const char* uuid_unparse_x_(const uuid_t uuid) {
   /* This function implicitly trusts uuid_unparse. */
   unsigned int a, b, c, d, e, f, g, h, i, j, k;
@@ -249,7 +249,7 @@ const char* uuid_unparse_x_(const uuid_t
                "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
                &a, &b, &c, &d, &e, &f, &g, &h, &i, &j, &k);
   if(ret != 11) {
-    uuid_unparse_buf[59] = '\0';
+    uuid_unparse_buf[79] = '\0';
     fprintf(stderr,
             "%s: libuuid error at %s:%d\n", program, __FILE__, __LINE__);
     fprintf(stderr,

Reply to:

Prev by Date: fwsnort_1.6.5-4_amd64.changes ACCEPTED into unstable
Next by Date: fidget toys
Previous by thread: fwsnort_1.6.5-4_amd64.changes ACCEPTED into unstable
Next by thread: fidget toys
Index(es):
- Date
- Thread