Package: redir Version: 2.2.1-1 Severity: normal In the course of tweaking the packaging for redir, i found that the copyloop() function in this latest version (2.2.1) seems defective.
in 2.1, copyloop used: char buf[4096] But upstream's copyloop() in 2.2.1 allocates buf like this: char buf[bufsize]; where bufsize is a variable int that can be set with the --bufsize argument. To make matters worse, under some conditions redir will attempt to read sizeof(buf) bytes into the buffer. it's unclear what would happen to redir if you used a smaller --bufsize than the default value, but it seems like heap or stack scribbling could be the result, depending on how the compiler treats the nonstandard static allocation. i haven't bothered to try to craft an exploit though. I'm hoping to have this fixed shortly with a new revision. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages redir depends on: ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra redir recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
