Your message dated Sat, 24 May 2025 20:45:42 +0000
with message-id <e1uivku-0019j4...@fasolo.debian.org>
and subject line Bug#915571: fixed in 4ti2 1.6.11+ds-2
has caused the Debian Bug report #915571,
regarding buffer overflow vulnerabilities in filename management
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
915571: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915571
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: 4ti2
Severity: normal
Dear Maintainer,
I apologise if this is a redundant email.
I had sent a previous bug report. However, in that bug report, the mail
address was jake@Jarvis which is not my email address. Hence, I am
sending the same report with the corrected email address which is :
jkrshnme...@gmail.com
As a part of an academic project, we have discovered two buffer overflow
vulnerabilities in the `gensymm` binary which is a part of the 4ti2
package.
The first vulnerability occurs in gensymm_main @ src/util/gensymm.c: 146
where user input, which is provided via the command-line argument, is
copied without bounds checking to a buffer named `fileName` of a fixed
size. This buffer, on my 64 bit Ubuntu 16.04, is of size 4096 bytes.
The second vulnerability occurs in the gensymm_main @
src/util/gensymm.c: 173 where the contents of the buffer is appended
with the string ".sym" without checking the size of the buffer.
This buffer is of a fixed size and is 4096 bytes on my system.
If the argument provided by the user is of size 4096 bytes, a total of
4096+4 bytes will be written to the buffer named `outFileName` which
results in an out of bound memory corruption.
Due to compiler enforced protections, these bugs may not be exploitable.
However, on older systems, the compiler may not enforce these protection
mechanisms by default and hence these vulnerabilities can be easily
exploited to gain arbitrary code execution.
The first vulnerability can be replicated by using the following
command:
`./gensymm 1 2 3 4 $(python -c 'print "A"*0x2000')`
Running this command results in the following output :
-------------------------------------------------
4ti2 version 1.6.9
Copyright 1998, 2002, 2006, 2015 4ti2 team.
4ti2 comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome
to redistribute it under certain conditions.
For details, see the file COPYING.
-------------------------------------------------
*** buffer overflow detected ***: ./gensymm terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7dd6f907e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f7dd703215c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7f7dd7030160]
/lib/x86_64-linux-gnu/libc.so.6(+0x116405)[0x7f7dd702f405]
./gensymm[0x400dcc]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7dd6f39830]
./gensymm[0x400ba9]
.
.
.
Aborted (core dumped)
Some of the output has been omitted for brevity.
The second vulnerability can be replicated by using the following
command:
`./gensymm 1 2 3 4 $(python -c 'print "A"*0xfff')`
Running this command results in the following output:
-------------------------------------------------
4ti2 version 1.6.9
Copyright 1998, 2002, 2006, 2015 4ti2 team.
4ti2 comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome
to redistribute it under certain conditions.
For details, see the file COPYING.
-------------------------------------------------
Error opening generator file for output.
Here the binary does not crash since the saved return address has not
been overwritten. However, this depends upon the compiler and may not
always be unexploitable.
These vulnerabilities can easily fixed by using the secure versions of
these library functions. Such as `strncpy` instead of `strcpy` and
`strncat` instead of `strcat`.
Please investigate this issue.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500,
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-139-generic (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: 4ti2
Source-Version: 1.6.11+ds-2
Done: Jerome Benoit <calcu...@rezozer.net>
We believe that the bug you reported is fixed in the latest version of
4ti2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 915...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jerome Benoit <calcu...@rezozer.net> (supplier of updated 4ti2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 24 May 2025 19:36:06 +0000
Source: 4ti2
Architecture: source
Version: 1.6.11+ds-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Math Team <team+m...@tracker.debian.org>
Changed-By: Jerome Benoit <calcu...@rezozer.net>
Closes: 915571
Changes:
4ti2 (1.6.11+ds-2) experimental; urgency=medium
.
* Debianization:
- d/patches/*:
- d/p/upstream-harden-strcpycat2asprintf.patch, thanks to Jake
<jkrshnme...@gmail.com> for reporting the issue (Closes: #915571);
- d/p/upstream-autogen_sh-swig.patch, introduce;
- d/lib4ti2-0t64.lintian-overrides, correct.
Checksums-Sha1:
7fc495172f980a60e6869af9d4233b3cda81ca84 2971 4ti2_1.6.11+ds-2.dsc
f30241abf4de2687ef3cc5e25bd52583bdfddf8d 21396 4ti2_1.6.11+ds-2.debian.tar.xz
0daf363d0cb8f35c54bfe4c191698747af4f32ab 7385 4ti2_1.6.11+ds-2_source.buildinfo
Checksums-Sha256:
d24712bb59128b30a3b25117fa68c57192cf2c268f4293319ead3fba7398878c 2971
4ti2_1.6.11+ds-2.dsc
2780d598b913cffa287e11d58679c0cb8d54c195183f7290e788256d20c20f4c 21396
4ti2_1.6.11+ds-2.debian.tar.xz
37476500dd23b5e3178cb58112773efbb3e77527a66f28328b37c15073e63223 7385
4ti2_1.6.11+ds-2_source.buildinfo
Files:
ccaae8b49445a7d16548ab7ee66321c7 2971 math optional 4ti2_1.6.11+ds-2.dsc
22343c4f92e07eb37e29accdd2bc4baf 21396 math optional
4ti2_1.6.11+ds-2.debian.tar.xz
66b4c72f758f372fab2dc59bc7838cfb 7385 math optional
4ti2_1.6.11+ds-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQRJBAEBCgAzFiEEriiuFXEN/x2H5adiP5IZpn82xosFAmgyH/4VHGNhbGN1bHVz
QHJlem96ZXIubmV0AAoJED+SGaZ/NsaL+VEf/iSTMp8FN34KxExMGTzqldhHjZZC
ATuTbdd5GCCC0W42cSgjTZZLfmrnBat7P8qe/clON5CveYELI/86uQ5IlhovJ/fo
NMLfSTUX7yhla6ZmHnEpH/jrl6c/pUHdgiHx3BEJqH294Wnettojb0tZhiEMCTqG
Na3I63Jyq5X2sD5jQz0uojsydlcsam0S0p+rYoKirwNBffl7OQ/S2VNji3dLqkRU
GDX0lP0sY49PG0VoNd1grrUsbcf1CYQQVLBlQG0+oRPtLkE+kLJ6iQCWehXUrtTg
wWOvqSpTKALYUAjT93x7Jp0IkdvnGOTzIgumrJenKu2vY1cbK2Fic6BZxiNl6BcV
0sFA9XsyvvJboWdZ5wEl4zAn7RjcsS0nGN3k5JRgKiHmxSdsuAM/2xDLWxjnoP6R
CtnSLLYAz4z1Pulg0weWX9nvCX7/7rA0nEsV5lsSiltSdyGqKDFHIph4OQ+TiU8k
OU8sp12/ISWp+Z0nWc63o481I3yperD6DHvISTkQq/oNMW4eKf9vkbLX9E9pylRJ
qGdRBz0ruINIr8ypgO1td/IlnpcJ7E2nTky+UGGjimhT1b4eCQGuyBGSvAkVxzG1
u2mqkgU3Qa+pd+WO3SQld6k93SZvzBbwJxFq0NWfhFhGs+6sJ2XJe9fgmrjcd1uJ
4YPLHLPlKNoiCpARYIwNTqSAdA94O63IVt+IfiMhFKwQRTFYovWmm0FALdFG0bk2
Dee8dWhz0g1yjJldHTzguIjsHwgcslyzCWng13Ce+RWccZIS2u1yiy+kmSd8hY5F
v1FKtGFXuCRDND8SKc6YnrGDZiBU2aYppFvWuS4TktuCjYFyVmjaLo1yU7zzjfMX
v+OQtLkcjOWIwcj4Jkd/gVw2TNQxBqaQhgq6DIzgqInrsHk96E5y1x/dAsesttxh
nNZvxVHjSzBYJuJHivD/HpfIoGt/0/KlCt0QzxdXZM3uE/8vPaxnrVfIcmDluGMO
tL1+utB61SBBRQDeiGkKhmCujovJ4bqlgvHdpTrMq9rYwd4oDgSC11ZwJq4fxH8M
erQ9OD8mztZfLlwsEjbOulTKL3gLjMCWZNE5q6LHXCekRG9SgHFKwCoOLgHmvTRB
jZaV6b1B00VHmhpLTUrZ0huLg6dGIEqSnA3PQyudMQ6v5VZZicnuR/5fGeGYLs2z
cZIXaTn4WrNZNjnxcJQpgLojtydHZ/51DekISIO86K39fDLLryxYKFbrPE6Ip7rh
m5KWLefptSxRmNef4pKEwzidqljNF3aduA5oHrCLhdasHf8XPDxE5nOQ/PX8G/HS
gmXEazQmKWZCMzDK2PCYIjML0x8O9XD0QTEiNvqyqk3a2P88PQ9rwVrvkZ8=
=yywi
-----END PGP SIGNATURE-----
pgptTFEVgdsr2.pgp
Description: PGP signature
--- End Message ---
