[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#919682: marked as done (RFP: safeclib -- safec libc extension with all C11 Annex K functions)

Your message dated Sun, 20 Jan 2019 22:35:55 +0000
with message-id <E1glLh5-00045Z-58@fasolo.debian.org>
and subject line Bug#919682: fixed in redis 5:5.0.3-4
has caused the Debian Bug report #919682,
regarding RFP: safeclib -- safec libc extension with all C11 Annex K functions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

919682: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919682
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: wnpp
Severity: wishlist

* Package name    : safeclib
  Version         : 3.4.0
  Upstream Author : Reini Urban rurban@cpan.org
* URL             : https://github.com/rurban/safeclib/
* License         : MIT like
  Programming Lang: C
  Description     : safec libc extension with all C11 Annex K functions

This library implements the secure C11 Annex K functions on top of most libc
implementations, which are missing from them.

The ISO TR24731 Bounds Checking Interface documents indicate that the key
motivation for the new specification is to help mitigate the ever increasing
security attacks, specifically the buffer overrun.

The rationale document says ``Buffer overrun attacks continue to be a security
problem. Roughly 10% of vulnerability reports cataloged by CERT from
01/01/2005 to 07/01/2005 involved buffer overflows. Preventing buffer overruns
is the primary, but not the only, motivation for this technical report.''

The rationale document continues ``that these only mitigate, that is lessen,
security problems. When used properly, these functions decrease the danger
buffer overrun attacks. Source code may remain vulnerable due to other bugs
and security issues. The highest level of security is achieved by building in
layers of security utilizing multiple strategies.''

.The rationale document lists the following key points for TR24731:
- Guard against overflowing a buffer
- Do not produce unterminated strings
- Do not unexpectedly truncate strings
- Provide a library useful to existing code
- Preserve the null terminated string datatype
- Only require local edits to programs
- Library based solution
- Support compile-time checking
- Make failures obvious
- Zero buffers, null strings
- Runtime-constraint handler mechanism
- Support re-entrant code
- Consistent naming scheme
- Have a uniform pattern for the function parameters and return type
- Deference to existing technology

and the following can be added...

- provide a library of functions with like behavior
- provide a library of functions that promote and increase code safety and
- provide a library of functions that are efficient

The C11 Standard adopted many of these points, and added some secure
`_s` variants in the Annex K.  The Microsoft Windows/MINGW secure API
did the same, but deviated in some functions from the standard.
Besides Windows (with its msvcrt, ucrt, reactos msvcrt and wine msvcrt
variants) only the unused stlport, Android's Bionic and Embarcadero
implemented this C11 secure Annex K API so far.  They are still
missing from glibc, musl, FreeBSD, darwin and DragonFly libc, OpenBSD
libc, newlib, dietlibc, uClibc, minilibc.

--- End Message ---
--- Begin Message ---
Source: redis
Source-Version: 5:5.0.3-4

We believe that the bug you reported is fixed in the latest version of
redis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 919682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Chris Lamb <lamby@debian.org> (supplier of updated redis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA256

Format: 1.8
Date: Sun, 20 Jan 2019 22:23:41 +0000
Source: redis
Binary: redis redis-sentinel redis-server redis-tools
Built-For-Profiles: nocheck
Architecture: source amd64 all
Version: 5:5.0.3-4
Distribution: unstable
Urgency: medium
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
 redis      - Persistent key-value database with network interface (metapackage
 redis-sentinel - Persistent key-value database with network interface (monitoring)
 redis-server - Persistent key-value database with network interface
 redis-tools - Persistent key-value database with network interface (client)
Closes: 919682
 redis (5:5.0.3-4) unstable; urgency=medium
   [ Helmut Grohne ]
   * Fix cross build failure by building the non-bundled Lua libraries via
     dh_auto_build. (Closes: #919682)
 fece26831810f1241ce9df4831a017be724df933 2151 redis_5.0.3-4.dsc
 953dc20564bf1341972d4045996429ae28785189 26208 redis_5.0.3-4.debian.tar.xz
 8fe269e1ed7a382b566ccc5b057d4c220fd0b723 52380 redis-sentinel_5.0.3-4_amd64.deb
 78f3b10b594e18e51841ece4d9d3888fc627123e 78260 redis-server_5.0.3-4_amd64.deb
 ad1a66624662d745f35f64ffbdca790bdecfffed 1234740 redis-tools-dbgsym_5.0.3-4_amd64.deb
 c268843711cda25078ef93aadd430ed6b06b7ab0 522560 redis-tools_5.0.3-4_amd64.deb
 43a3c41639665cc3afd866a54aca5f08c7eee0fd 45004 redis_5.0.3-4_all.deb
 57882d1f1b958d748103f424a4f3abb681fb3982 6691 redis_5.0.3-4_amd64.buildinfo
 f8e2edd32a20e33d0bc7e108e32c5dc48ee78d58e7af2039e5e13feba75a9b8e 2151 redis_5.0.3-4.dsc
 16c0c12db195aa4109cc267ba4c73e893e5b170048bcdcce6ccc57a1aaac0e5e 26208 redis_5.0.3-4.debian.tar.xz
 a93b5801e4e506572fa51e1cad147a790dc46875616149b5f76b57fb9524085e 52380 redis-sentinel_5.0.3-4_amd64.deb
 fdffa20331ccade48ad519eb841255b24f138b072017253e733ffc4788a6eb66 78260 redis-server_5.0.3-4_amd64.deb
 86b1c9388d75a443c2c656350b4fc31fca14f601c79e080481fb7af1a4301448 1234740 redis-tools-dbgsym_5.0.3-4_amd64.deb
 2c2e4a582c88881ba8cbdff282680338552a8dcb1ac872032f824862dd0cfb7a 522560 redis-tools_5.0.3-4_amd64.deb
 c9514c2565828aea697e4db2d98e1eb4969dff8ef152ebd8e7f5d0f9cc57b462 45004 redis_5.0.3-4_all.deb
 dd32dcde0c8baf0b67adc6a51551332d409782f3e514f727039738f748ab23bc 6691 redis_5.0.3-4_amd64.buildinfo
 95ec9fc9f2b4b890e2b48ba9313c538b 2151 database optional redis_5.0.3-4.dsc
 86d00ce9f215cc04e854bf5da2e34158 26208 database optional redis_5.0.3-4.debian.tar.xz
 08a2f9fa5a555319347e2a376dbcaf87 52380 database optional redis-sentinel_5.0.3-4_amd64.deb
 f5d82b811e9ba19e312e9a971aec998f 78260 database optional redis-server_5.0.3-4_amd64.deb
 e7c1fc6324b5f1efaa1b99cbfcfb3bf1 1234740 debug optional redis-tools-dbgsym_5.0.3-4_amd64.deb
 1cfd258a0b99269332fdfa7ddc560710 522560 database optional redis-tools_5.0.3-4_amd64.deb
 df91bcf1b9490b5147743ab6dc38eb82 45004 database optional redis_5.0.3-4_all.deb
 3563eff07f21d026c132dbb306fea641 6691 database optional redis_5.0.3-4_amd64.buildinfo



--- End Message ---

Reply to: