On Sat, Feb 03, 2024 at 04:30:58PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sat, Feb 03, 2024 at 04:29:17PM +0100, Salvatore Bonaccorso wrote: > > Hi, > > > > On Wed, Jan 31, 2024 at 10:05:04AM +0100, Robert Luberda wrote: > > > clone 1021738 -1 > > > retitle 1021738 man2html: CVE-2021-40647 > > > tags 1021738 +pending > > > retitle -1 man2html: CVE-2021-40648 > > > tags -1 +moreinfo > > > thanks > > > > > > Moritz Mühlenhoff pisze: > > > > > > Hi > > > > > > First of all I'm sorry for not taking care about it earlier, I didn't have > > > time for Debian work in the previous year. > > > > > > > > > > > The following vulnerabilities were published for man2html. > > > > > > > > CVE-2021-40647[0]: > > > Ok, this is quite easy to fix, I will upload fixed version soon. > > > > > > > CVE-2021-40648[1]: > > > > | In man2html 1.6g, a filename can be created to overwrite the previous > > > > | size parameter of the next chunk and the fd, bk, fd_nextsize, > > > > > > According to instructions given at > > > https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933 I tried > > > to > > > reproduce this with the following commands: > > > file=$(perl -e 'print "A" x 132') > > > touch $file > > > man2html $file > > > I used man2html built with AddressSanitizer and it found only a few small > > > memory leaks coming from global variables. > > > > > > So I have no idea what really is wrong in this CVE. The source code > > > references given at the above link actually refer to calls to > > > fopen()/fclose() functions rather then to directly malloc() and free() > > > directly. > > > > I tried to get an idea from the report, but I failed tbh. I asked > > though > > https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933?permalink_comment_id=4872855#gistcomment-4872855 > > . > > > > But maybe, as this won't crash the program, we could mark it as > > unimportant and having a negligible security impact. > > This should have actually gone to #1062069.
There was a followup as https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933?permalink_comment_id=5226339#gistcomment-5226339 . I'm marking the CVE as unimportant now in the tracker. Regards, Salvatore
