On Mon, Apr 09, 2018 at 12:21:32AM -0700, Steve Langasek wrote: > Hi James,
Hey, > You filed https://bugs.launchpad.net/libtickit/+bug/1744933 about tests > reporting a buffer overflow in libtickit. It seems you worked around this > by disabling the hardening flags Yes, I was hoping to get time to look into _why_ the -1 was being returned in that scenario, since that should likely be fixed. > - or at least attempting to, which was > ineffective in Ubuntu because -D_FORTIFY_SOURCE=2 is a compiler built-in in > Ubuntu; which is how I noticed this, because the package still failed to > build in Ubuntu. Good to know. > I dug into the build failure, and this looks like a genuine out-of-bounds > write in the use of FD_SET() in src/term.c (i.e. the source, not the > tests). An attacker can likely only cause the fd to be set to -1 rather > than to an arbitrary value, so it's not necessarily exploitable, but the > code does currently allow for scribbling into memory where it shouldn't, so > that's not good. Thanks. I'll send the patch upstream, since the defensive measures are useful. I'll also see if Paul has some time to look into the root cause. Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
