Bug#802774: makedepf90: Security warning; preliminary patch provided.

[Alberto Marmodoro]

Package: makedepf90
Version: 2.8.8-1
Followup-For: Bug #802774

Dear Maintainer,
The program 'makedepf90' contains possibilities for buffer overflow bugs, 
through unsanitized runtime arguments' list.

In particular, as the passed-on compiler flags' list etc. become longer, the 
'rule' (-r) replacement function can easily exceed the hard-coded default from:

global.h:#define RULE_LENGTH 256

.... and presently results in stack corruption from main.c.

The attached patch suggests to:
1) validate the 'rule' argument length while parsing, failing gracefully if too 
big;
2) increase the default value to a less easily exceeded maximum.

There may be need for further corrections, in order to improve the safety of 
the code.

Thanks for the good work,
--
Alberto Marmodoro.

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages makedepf90 depends on:
ii  libc6  2.19-18+deb8u1

makedepf90 recommends no packages.

makedepf90 suggests no packages.

-- no debconf information

Only in makedepf90-2.8.8_patched/: config.status
diff makedepf90-2.8.8_patched/global.h /tmp/orig/makedepf90-2.8.8/global.h
50c50
< #define RULE_LENGTH 1024
---
> #define RULE_LENGTH 256
diff makedepf90-2.8.8_patched/main.c /tmp/orig/makedepf90-2.8.8/main.c
153,154c153,154
<         if (strncmp(argv[i], "-h", 2) == 0 || strncmp(argv[i], "--help", 6) == 0) {
<             printf("%s", helpstring);
---
>         if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0) {
>             printf ("%s", helpstring);
157,158c157,158
<         } else if (strncmp(argv[i], "-V", 2) == 0 
<                || strncmp(argv[i], "--version", 9) == 0) {
---
>         } else if (strcmp(argv[i], "-V") == 0 
>                || strcmp(argv[i], "--version") == 0) {
163,164c163,164
<         } else if (strncmp(argv[i], "-W", 2) == 0 
<                    || strncmp(argv[i], "-Wmissing", 9) == 0) {
---
>         } else if (strcmp(argv[i], "-W") == 0 
>                    || strcmp(argv[i], "-Wmissing") == 0) {
167c167
<         } else if (strncmp(argv[i], "-Wconfused", 10) == 0) {
---
>         } else if (strcmp(argv[i], "-Wconfused") == 0) {
187c187
<         } else if (strncmp(argv[i], "-fixed", 6) == 0) {
---
>         } else if (strcmp(argv[i], "-fixed") == 0) {
190c190
<         } else if (strncmp(argv[i], "-free", 5) == 0) {
---
>         } else if (strcmp(argv[i], "-free") == 0) {
206,210d205
<                 // printf("Testing rule argument '%s'...\n", argv[i+1]);
<                 if (strlen(argv[i+1]) > RULE_LENGTH) {
<                     printf("Rule argument '%s' exceeds global.h max RULE_LENGTH=%i. Increase and recompile %s, aborting.\n", argv[i+1],RULE_LENGTH,argv[0]);
<                     exit (EXIT_FAILURE);
<                 }
246c241
<         } else if (strncmp(argv[i], "-coco", 5) == 0) {
---
>         } else if (strcmp(argv[i], "-coco") == 0) {
326c321
<         } else if (strncmp(argv[i], "-nosrc", 6) == 0) {
---
>         } else if (strcmp(argv[i], "-nosrc") == 0) {