Adding hydra maintainer to cc, because... On Tue, Mar 12, 2013 at 16:10:11 +0100, Michael Tautschnig wrote:
> Package: afpfs-ng > Version: 0.8.1-5 > Severity: critical > Tags: security > Justification: user-controllable pointer value > Usertags: goto-cc > > When typechecking the linked binary using our research compiler infrastructure > it became apparent that various calls to remove_opened_fork pass a struct (of > type struct afp_file_info) as second argument instead of first taking the > address thereof. (A simple grep -r remove_opened_fork . suffices to see > these). > > Thus the first 4 or 8 byte of the struct will be cast to an address, which (on > little endian 64bit systems) includes part of file creation date. By an > appropriate choice thereof it may be possible to tweak the pointer to a > user-defined value, with hard-to-limit consequences. > > Fixing the problem is trivial, it just requires inserting address-of > operators. > It could all be diagnosed right at compile time if proper function > declarations > (or included header files) were present. > > Best, > Michael > > PS.: The Clang build(-attempt) hints at a number of further problems with this > code: > http://clang.debian.net/logs/2013-01-28/afpfs-ng_0.8.1-5_unstable_clang.log > ... if this bug doesn't get fixed in the next few days I intend to remove both afpfs-ng and hydra from wheezy. Cheers, Julien
signature.asc
Description: Digital signature
