Package: makedepf90 Version: 2.8.8-1 Followup-For: Bug #802774 Dear Maintainer, The program 'makedepf90' contains possibilities for buffer overflow bugs, through unsanitized runtime arguments' list.
In particular, as the passed-on compiler flags' list etc. become longer, the 'rule' (-r) replacement function can easily exceed the hard-coded default from: global.h:#define RULE_LENGTH 256 .... and presently results in stack corruption from main.c. The attached patch suggests to: 1) validate the 'rule' argument length while parsing, failing gracefully if too big; 2) increase the default value to a less easily exceeded maximum. There may be need for further corrections, in order to improve the safety of the code. Thanks for the good work, -- Alberto Marmodoro. -- System Information: Debian Release: 8.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages makedepf90 depends on: ii libc6 2.19-18+deb8u1 makedepf90 recommends no packages. makedepf90 suggests no packages. -- no debconf information
Only in makedepf90-2.8.8_patched/: config.status diff makedepf90-2.8.8_patched/global.h /tmp/orig/makedepf90-2.8.8/global.h 50c50 < #define RULE_LENGTH 1024 --- > #define RULE_LENGTH 256 diff makedepf90-2.8.8_patched/main.c /tmp/orig/makedepf90-2.8.8/main.c 153,154c153,154 < if (strncmp(argv[i], "-h", 2) == 0 || strncmp(argv[i], "--help", 6) == 0) { < printf("%s", helpstring); --- > if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0) { > printf ("%s", helpstring); 157,158c157,158 < } else if (strncmp(argv[i], "-V", 2) == 0 < || strncmp(argv[i], "--version", 9) == 0) { --- > } else if (strcmp(argv[i], "-V") == 0 > || strcmp(argv[i], "--version") == 0) { 163,164c163,164 < } else if (strncmp(argv[i], "-W", 2) == 0 < || strncmp(argv[i], "-Wmissing", 9) == 0) { --- > } else if (strcmp(argv[i], "-W") == 0 > || strcmp(argv[i], "-Wmissing") == 0) { 167c167 < } else if (strncmp(argv[i], "-Wconfused", 10) == 0) { --- > } else if (strcmp(argv[i], "-Wconfused") == 0) { 187c187 < } else if (strncmp(argv[i], "-fixed", 6) == 0) { --- > } else if (strcmp(argv[i], "-fixed") == 0) { 190c190 < } else if (strncmp(argv[i], "-free", 5) == 0) { --- > } else if (strcmp(argv[i], "-free") == 0) { 206,210d205 < // printf("Testing rule argument '%s'...\n", argv[i+1]); < if (strlen(argv[i+1]) > RULE_LENGTH) { < printf("Rule argument '%s' exceeds global.h max RULE_LENGTH=%i. Increase and recompile %s, aborting.\n", argv[i+1],RULE_LENGTH,argv[0]); < exit (EXIT_FAILURE); < } 246c241 < } else if (strncmp(argv[i], "-coco", 5) == 0) { --- > } else if (strcmp(argv[i], "-coco") == 0) { 326c321 < } else if (strncmp(argv[i], "-nosrc", 6) == 0) { --- > } else if (strcmp(argv[i], "-nosrc") == 0) {