Your message dated Sun, 4 Dec 2022 21:17:14 +0530
with message-id <[email protected]>
and subject line Re: perm -- Buffer overflows
has caused the Debian Bug report #993019,
regarding perm -- Buffer overflows
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
993019: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993019
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perm
Version: 0.4.0-5
Severity: normal
X-Debbugs-Cc: [email protected], [email protected]
Hi,
This bug report is being done as a reference point for perm to be
processed with the corresponding CVE (also as a reference point for
Mitre)
This bug was actually discovered very publically on a mailing list
itself[1] and here is the unblock bug[2]
So, automated tests (autopkgtests) were added to perm, to run on a
test data that can be found here[3]. On propagarting a hardening flag,
particularly -D_FORTIFY_SOURCE=2 this started to give buffer overflow
errors, as can be seen here[4]
I did a patch[5], and uploaded the fixed version 0.4.0-7 which fixes the
issue at hand[6].
Now, when I tried contacting upstream, I realised that upstream sources
are not present anywhere, and probably that was the case since several
years, as is also apparent from the copyright file[7]
I did see a email address there (Yangho Chen et al. <[email protected]>), and I
sent in an email there asking for
it and also reporting the security issue, but by far there has been no
response for several days and I think it is safe to assume that the
upstream development for this software is dead.
Overall, this software was in fact vulnerable, and the vulnerability can
be tested with running:
$ perm Ref.fasta Reads.fasta -v 100 -A -o out.sam
as given in test test data linked below, and the corresponding CI
[1]: https://lists.debian.org/debian-med/2021/08/msg00016.html
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991841
[3]: https://salsa.debian.org/med-team/perm/-/tree/master/debian/tests/data
[4]: https://salsa.debian.org/med-team/perm/-/jobs/1788156
[5]:
https://salsa.debian.org/med-team/perm/-/blob/master/debian/patches/fix-buffer-overflow.patch
[6]: https://salsa.debian.org/med-team/perm/-/jobs/1789569
[7]: https://salsa.debian.org/med-team/perm/-/blob/master/debian/copyright#L3
Nilesh
--- End Message ---
--- Begin Message ---
The CVE details for this has been published by MITRE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38172
Closing.
--
Best,
Nilesh
signature.asc
Description: PGP signature
--- End Message ---