Today I spent a while fixing some more segfault bugs. I guess that this work qualifies as either fixing RC bugs, or potential security bugs.
Anyway I did an NMU of libpam-tmpdir a while back to fix all but one of the open bugs against it.
I provided a patch for #461625 yelp: segfault while loading info documentation, which fixes the symptoms of bad info-parsing, and avoids the segfault.
I also looked into the #466771 busybox cpio: double free or corruption during cpio extraction of hardlinks - but it turns out that was already fixed in Sid.
Finally I found a segfault bug open against ftp:
- ftp: GET segfaults. Buffer overflow?
- Buffer overflow: comman buffer size is not checked (Almost certainly a duplication bug.)
To reproduce this bug run:
skx@gold:~$ ftp ftp.debian.org 220 saens.debian.org FTP server (vsftpd) Name (ftp.debian.org:skx): anonymous 331 Please specify the password Password: foo@bar.com ftp> cd debian/doc 250 Directory successfully changed. ftp> get dedication-2.2.cn.txt dedication-2.2.de.txt dedication-2.2.es.txt .. local: dedication-2.2.de.txt remote: dedication-2.2.cn.txt Segmentation fault
You need to repeat the arguments about 50 times. But keep adding more and more copies of the three files to the line until you get the crash.
It isn't interesting as a security issue as it is client side only; but as a trivially reproducable issue it becomes fun to solve.
Click to read the rest of the entryI mailed the maintainer of FTP and said unless I heard differently I'd NMU and cleanup the package in a week.
All being well this entry will be nicely truncated in the RSS feeds as support for the <cut> tag was the main new feature in my previous upload of chronicle - the blog compiler I use/wrote/maintain.
ObQuote: Razor Blade Smile
