Package: dosfstools Version: 4.1-1 Severity: normal Dear Maintainer,
In late 2017 and early 2018, I used afl to stress test fsck.vfat from the latest dosfstools release. The unwanted outcome was a bunch of crashes, caused by e.g. 32-byte OOB writes on the heap. They're caused by memset, and all occurrences of memset in the source package use a value of zero, so I don't know how this particular issue could be exploitable beyond DoS. These OOB writes are still worth fixing nevertheless, even if caused by nonsensical data. I sent you an e-mail to your maintainer address on December 24th, 2017. Some samples were attached. I sent another e-mail on February 19th, mentioning more issues (e.g. a hang for 3+ minutes) but without sending new samples, and I didn't receive a reply either. No fixes have appeared in the Git repo on Github since the end of December. I know that e-mails can get lost in delivery somewhere, it's already happened to me during conversations with the upstream maintainers of some libraries / programs proved buggy by zzuf, afl or honggfuzz... Regards, Lionel Debroux. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf, armel, arm64, mips Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dosfstools depends on: ii libc6 2.27-1 ii libudev1 237-4 dosfstools recommends no packages. dosfstools suggests no packages. -- no debconf information
