On Mon, Apr 09, 2018 at 12:21:32AM -0700, Steve Langasek wrote:
> Hi James,
> You filed https://bugs.launchpad.net/libtickit/+bug/1744933 about tests
> reporting a buffer overflow in libtickit. It seems you worked around this
> by disabling the hardening flags
Yes, I was hoping to get time to look into _why_ the -1 was being
returned in that scenario, since that should likely be fixed.
> - or at least attempting to, which was
> ineffective in Ubuntu because -D_FORTIFY_SOURCE=2 is a compiler built-in in
> Ubuntu; which is how I noticed this, because the package still failed to
> build in Ubuntu.
Good to know.
> I dug into the build failure, and this looks like a genuine out-of-bounds
> write in the use of FD_SET() in src/term.c (i.e. the source, not the
> tests). An attacker can likely only cause the fd to be set to -1 rather
> than to an arbitrary value, so it's not necessarily exploitable, but the
> code does currently allow for scribbling into memory where it shouldn't, so
> that's not good.
Thanks. I'll send the patch upstream, since the defensive measures are
useful. I'll also see if Paul has some time to look into the root
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB