Your message dated Thu, 21 Aug 2025 12:04:18 +0000
with message-id <[email protected]>
and subject line Bug#992407: fixed in elvis-tiny 1.4-25
has caused the Debian Bug report #992407,
regarding elvis-tiny: potential buffer overflow in main.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
992407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992407
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: elvis-tiny
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I found some potential buffer overflow vulnerability in main.c.
--------------------------------------------------
264 str = getenv("HOME");
265 if (str)
266 {
267 sprintf(tmpblk.c, "%s%c%s", str, SLASH, HMEXRC);
--------------------------------------------------
At line 264, the program reads the value of 'str' from an environment variable.
Since the size of 'tmpblk.c' is fixed to 1024 and there is no range check,
if a malicious attacker puts large string, it may cause buffer overflow which
leads to buggy behavior.
Thank you.
-- System Information:
Debian Release: 11.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages elvis-tiny depends on:
ii libc6 2.31-13
ii libtinfo6 6.2+20201114-2
elvis-tiny recommends no packages.
elvis-tiny suggests no packages.
--- End Message ---
--- Begin Message ---
Source: elvis-tiny
Source-Version: 1.4-25
Done: наб <[email protected]>
We believe that the bug you reported is fixed in the latest version of
elvis-tiny, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
наб <[email protected]> (supplier of updated elvis-tiny package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Jun 2025 21:53:56 +0200
Source: elvis-tiny
Architecture: source
Version: 1.4-25
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <[email protected]>
Changed-By: наб <[email protected]>
Closes: 992407 1074934 1109586
Changes:
elvis-tiny (1.4-25) unstable; urgency=medium
.
[ Andreas Tille ]
* QA upload.
Closes: #1109586
* Set packages.d.o as Homepage to express that there is no official homepage
* Maintain package on Salsa in Debian team
* Cleanup patches by refreshing
* [skip ci] Start modernising code to build with gcc-14/15
* cme fix dpkg-control
* d/rules: Add -Wno-error=incompatible-pointer-types to be sure package
builds
* Add #DEBHELPER# to postinst/prerm
* Build-Depends: s/libncurses5-dev/libncurses-dev/
.
[ наб ]
* d/p/0016: GCC-14 (Clang 21) (Closes: #1074934)
* debhelper-compat (= 13)
* d/rules: ignore -Wunused-result
* d/rules: simplify installation
* d/rules: move clean-up to d/clean
* d/rules: remove redundant note, dh_strip already removes these sections
* d/p/0017: snprintf() instead of sprintf() (Closes: #992407)
.
[ Andreas Tille ]
Trim trailing whitespace.
Checksums-Sha1:
193b75a1059e4894e5404ae0848a256118978fde 1888 elvis-tiny_1.4-25.dsc
97f012d7ac728d5ae5237c96dc1fe74f028cdb92 35808 elvis-tiny_1.4-25.debian.tar.xz
e856cddb1faebaf364e748ea1e762b8af53c7ced 6198 elvis-tiny_1.4-25_amd64.buildinfo
Checksums-Sha256:
ede81369eed47495406ba828349c8e046e5364ad08185887ab96c284fea9d767 1888
elvis-tiny_1.4-25.dsc
567f06e40bf9a81eb728a212c98856e1aefd2ea6db6856c61fe05c2e8a1045e8 35808
elvis-tiny_1.4-25.debian.tar.xz
895a3fa5ac383b6bd5405d175f6e2bd8f5ef9b4f1c3fdcd003d25da13674ceec 6198
elvis-tiny_1.4-25_amd64.buildinfo
Files:
b3a490e13e86ee8c1c0dac986e7ccfb4 1888 base standard elvis-tiny_1.4-25.dsc
2c8f284e6b66d7f32cf68bb902cb2045 35808 base standard
elvis-tiny_1.4-25.debian.tar.xz
d7b63bc3437dcc95f5efbdf89d0284a3 6198 base standard
elvis-tiny_1.4-25_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmiZ0cYRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtFxdA/+L3ceoEhyFs7lNsMixfy9Ighz+1lKCv5B
Ce3LemV9GqXNnjYWxhxDTCIAIL6PH6MXqY8Y6s+qda+wCr4ZitHpYE+XdGtkx2Xg
Hk4c4Fwe9BK1ofm5EemKVzVHOPZp16DkOeBiJ9wwKesEPQ+2T0md6uNEYN72RQis
YNfidbvsTeMbCdOxSva3+fBmmfwj4x6uDQvF9enOHhmlF+8TAl8xyLY1cRMWVutN
WGtAtv84GHeshIwLxRlAzcpKPqQ/ozjcpStQ42xxa/2yjkiXodnTMJehDvWv0uHG
NcGvatq4DU+cJXUnw3dPF/Q3b5l3VyVi4lvM0E0YJY3SguVnFA4Lj0jOH6yi/mdf
CTLM0SEXDdTro3KnFHe97XtLA6WzyH/AsYITVEdbq1j9+oSLtzBg4n4pqMkPQplX
vjS2U1MCpLyQsw6V0xF+RCzeumPaOBoEnRmRB4rJDLxeqqKQHGVM6W72bsg10Swn
ciQZpD1n/HCVYYPWglptVy3FWwVa/uwTb1jwOco8HCBFW2Swc/VRjeDRTjL1psEl
tjWxX76F+Ok2pUuV1yQuXCd13hDrnF0noLhK7yag1lqG/fxwdEt/VQ4FlnCessMO
EQaUyIFmSMOxUZXGQeLHQcrXnmWMuQ5ri3vl6/rYz7DY2R3BdcPh1+RebGhFBMaL
LY43XKGaqUU=
=EBzB
-----END PGP SIGNATURE-----
pgpE_wagRw1s1.pgp
Description: PGP signature
--- End Message ---
