Zhihan Zheng <[email protected]> writes: > Hello GNU m4 Maintainer, > > I would like to report a potential security issue in m4 1.4.21. > > The issue is in the format builtin path. User-controlled width and > precision values are forwarded into xasprintf in src/format.c: > > ```c > str = xasprintf (fstart, width, prec, ARG_INT (argc, argv)); > ``` > > That eventually reaches lib/xvasprintf.c, where a failure path prints > an error and aborts: > > ```c > fprintf (stderr, "vasprintf failed! format=\"%s\", errno=%s\n", > format, errname); > abort (); > ``` > > Passing INT_MIN as a width can trigger an EOVERFLOW path and terminate > the process. > > Affected area: > - src/format.c:246-270 > - src/format.c:365-367 > - lib/xvasprintf.c:97-127 > > If useful, I can provide a minimal PoC and reproduction output. > > If you believe this is a valid security issue, please let me know your > preferred remediation or coordinated disclosure process. If needed, I > can also assist with CVE coordination after triage.
I am confused by this report. If you allow someone to run their m4 scripts on your system, you allow them to execute whatever shell commands they would like on your system. This "user-controlled input" causing an abort should be the least of your concerns. Are these AI generated? Collin
