[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#919682: marked as done (RFP: safeclib -- safec libc extension with all C11 Annex K functions)

Your message dated Sun, 11 Aug 2019 11:00:16 +0000
with message-id <E1hwlaC-0001kk-Sg@fasolo.debian.org>
and subject line Bug#919682: fixed in safeclib 3.5-1
has caused the Debian Bug report #919682,
regarding RFP: safeclib -- safec libc extension with all C11 Annex K functions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
919682: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919682
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: wnpp
Severity: wishlist

* Package name    : safeclib
  Version         : 3.4.0
  Upstream Author : Reini Urban rurban@cpan.org
* URL             : https://github.com/rurban/safeclib/
* License         : MIT like
  Programming Lang: C
  Description     : safec libc extension with all C11 Annex K functions

This library implements the secure C11 Annex K functions on top of most libc
implementations, which are missing from them.

The ISO TR24731 Bounds Checking Interface documents indicate that the key
motivation for the new specification is to help mitigate the ever increasing
security attacks, specifically the buffer overrun.

The rationale document says ``Buffer overrun attacks continue to be a security
problem. Roughly 10% of vulnerability reports cataloged by CERT from
01/01/2005 to 07/01/2005 involved buffer overflows. Preventing buffer overruns
is the primary, but not the only, motivation for this technical report.''

The rationale document continues ``that these only mitigate, that is lessen,
security problems. When used properly, these functions decrease the danger
buffer overrun attacks. Source code may remain vulnerable due to other bugs
and security issues. The highest level of security is achieved by building in
layers of security utilizing multiple strategies.''

.The rationale document lists the following key points for TR24731:
- Guard against overflowing a buffer
- Do not produce unterminated strings
- Do not unexpectedly truncate strings
- Provide a library useful to existing code
- Preserve the null terminated string datatype
- Only require local edits to programs
- Library based solution
- Support compile-time checking
- Make failures obvious
- Zero buffers, null strings
- Runtime-constraint handler mechanism
- Support re-entrant code
- Consistent naming scheme
- Have a uniform pattern for the function parameters and return type
- Deference to existing technology

and the following can be added...

- provide a library of functions with like behavior
- provide a library of functions that promote and increase code safety and
  security
- provide a library of functions that are efficient

The C11 Standard adopted many of these points, and added some secure
`_s` variants in the Annex K.  The Microsoft Windows/MINGW secure API
did the same, but deviated in some functions from the standard.
Besides Windows (with its msvcrt, ucrt, reactos msvcrt and wine msvcrt
variants) only the unused stlport, Android's Bionic and Embarcadero
implemented this C11 secure Annex K API so far.  They are still
missing from glibc, musl, FreeBSD, darwin and DragonFly libc, OpenBSD
libc, newlib, dietlibc, uClibc, minilibc.

--- End Message ---
--- Begin Message --- 
Source: safeclib
Source-Version: 3.5-1

We believe that the bug you reported is fixed in the latest version of
safeclib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 919682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Borowski <kilobyte@angband.pl> (supplier of updated safeclib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 04 Jul 2019 02:02:45 +0200
Source: safeclib
Binary: libsafec-3.5-3 libsafec-3.5-3-dbgsym libsafec-dev
Architecture: source amd64
Version: 3.5-1
Distribution: unstable
Urgency: medium
Maintainer: Adam Borowski <kilobyte@angband.pl>
Changed-By: Adam Borowski <kilobyte@angband.pl>
Description:
 libsafec-3.5-3 - "safe" C libc extensions (Annex K)
 libsafec-dev - "safe" C libc extensions (Annex K) - dev
Closes: 919682
Changes:
 safeclib (3.5-1) unstable; urgency=medium
 .
   * Initial release (Closes: #919682)
Checksums-Sha1:
 ff50d088ab7410668480d17f53cd21fab738cbbd 1904 safeclib_3.5-1.dsc
 78c4f728e270118b8e3556568d6c4c2ea134866e 529408 safeclib_3.5.orig.tar.xz
 0b89fd5dfb7993d914b663ea768ebfe8430e318c 4308 safeclib_3.5-1.debian.tar.xz
 a09faf0ff69e876f5d8372e9224bbd0846820658 162132 libsafec-3.5-3-dbgsym_3.5-1_amd64.deb
 f32d2ff3e479bd96e30f038c4ac3f5810734eeaa 64644 libsafec-3.5-3_3.5-1_amd64.deb
 54ff1962834cd11bb4fcc188bdbeaf51290f402b 20532 libsafec-dev_3.5-1_amd64.deb
 3be6a23da2ba1e4b592d063ccb8db80cdf011961 5867 safeclib_3.5-1_amd64.buildinfo
Checksums-Sha256:
 65a2051cd1b72e6107e4ed131822f6c7dca1cc55f2b1639d9f3b66a580f6047d 1904 safeclib_3.5-1.dsc
 fa0b07967793097f73247d0c493ea590f7a393d13c7e37fb29d591596b7b6c12 529408 safeclib_3.5.orig.tar.xz
 c1be9ea1ecb8d9234e86f883e5d21a5b3a18a185a1e1ceca1458c5d0eb000162 4308 safeclib_3.5-1.debian.tar.xz
 886b2da8e2b98ac19023f8f9d1cfb9632bcf5a3168a7e5e98a951167bcd392e5 162132 libsafec-3.5-3-dbgsym_3.5-1_amd64.deb
 96ff662b57fd6bb53fdfdba205acb7a77af654342540f1c4e2f0c1064e567be9 64644 libsafec-3.5-3_3.5-1_amd64.deb
 6cef3fb5ebb6975d3e5d14fb56db9a728991345ee2807725ae06783d6f1907b0 20532 libsafec-dev_3.5-1_amd64.deb
 3124c960cccf69ec63aec9088dd9081b8fd2aafd77461beca74f1dfec340abd7 5867 safeclib_3.5-1_amd64.buildinfo
Files:
 e05a5b7668ae0c46f737bc9cdd78a4a1 1904 libs optional safeclib_3.5-1.dsc
 329e1fda7cd3758cece5e2e998fd0be7 529408 libs optional safeclib_3.5.orig.tar.xz
 a1fc8e9f32d20fc9427d77d6c398556c 4308 libs optional safeclib_3.5-1.debian.tar.xz
 752ef26aad67add3d423a11f9ece9035 162132 debug optional libsafec-3.5-3-dbgsym_3.5-1_amd64.deb
 30778bba458aff20e3bad1ab4d6d8741 64644 libs optional libsafec-3.5-3_3.5-1_amd64.deb
 5f9826915e232eaacfb9823c1755386d 20532 libdevel optional libsafec-dev_3.5-1_amd64.deb
 bb351e073b18982e0b6ba506561f2cfc 5867 libs optional safeclib_3.5-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAl0dQ+AACgkQweDZLphv
fH5x0A//fjX9TQae03N6HqTIpE8OHKQrwY+mTeyjXVOAGg5a/A0lcm+bi+lqS3f/
nd3HunN0NW2p3FkCkwR9zXDlghtgXXDgFIouKCTU5HBP7qGwxLhe5CQ788rVLkYK
+ar86yw4LfhpoNOac5wEB0qNmSal1UX9UUSVnVaUxmg+YYM1kHSEssbMYxmJXg89
DTFOewmpdErU/k1A62avnO4xPUz12u02Iw91d1p6NGImjtS8TOV7NI7qov7VFtkN
neOa7rjN62btLAUOMM4bIg7MEFbCtfcAmKIyn5mDtEfmvJffjIanOUjVUURCGxqE
mK3dtz8ailEJUZzhSQbRVveAJNIlUyqniquJpf0EYPjPu2oJzv+uagyZnrzvgoXC
A6fQVnUsIbZ+5tngEyWFDe1t+Z4Co4ZmkJarPBd0aFot3s/HVI6wuhE6ewnqSQVL
7j8ecNMJFicX5oFEvX7ZnSWHXjAz1aTqKQFCFtxbMeyixR7BGwpC5B+IQNqnOciJ
JPyeqnI0NZuuLxzdR4GI0fb5AwVIquzpK/RTpIX9sMmJrvPBpkuaBoGDtD3/Abi3
vjSDSxthBpJqqyqbXNifLPTNEDWrhjWwZeeaFZQRnne6bFGtV0bIFr5+oM0RveKo
O2+lS3Ps6KxR8x1C7Vznfopn1LqWkyaI/A9Knlr6AqADfOdF1pc=
=Orp6
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: