Package: perm Version: 0.4.0-5 Severity: normal X-Debbugs-Cc: [email protected], [email protected]
Hi, This bug report is being done as a reference point for perm to be processed with the corresponding CVE (also as a reference point for Mitre) This bug was actually discovered very publically on a mailing list itself[1] and here is the unblock bug[2] So, automated tests (autopkgtests) were added to perm, to run on a test data that can be found here[3]. On propagarting a hardening flag, particularly -D_FORTIFY_SOURCE=2 this started to give buffer overflow errors, as can be seen here[4] I did a patch[5], and uploaded the fixed version 0.4.0-7 which fixes the issue at hand[6]. Now, when I tried contacting upstream, I realised that upstream sources are not present anywhere, and probably that was the case since several years, as is also apparent from the copyright file[7] I did see a email address there (Yangho Chen et al. <[email protected]>), and I sent in an email there asking for it and also reporting the security issue, but by far there has been no response for several days and I think it is safe to assume that the upstream development for this software is dead. Overall, this software was in fact vulnerable, and the vulnerability can be tested with running: $ perm Ref.fasta Reads.fasta -v 100 -A -o out.sam as given in test test data linked below, and the corresponding CI [1]: https://lists.debian.org/debian-med/2021/08/msg00016.html [2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991841 [3]: https://salsa.debian.org/med-team/perm/-/tree/master/debian/tests/data [4]: https://salsa.debian.org/med-team/perm/-/jobs/1788156 [5]: https://salsa.debian.org/med-team/perm/-/blob/master/debian/patches/fix-buffer-overflow.patch [6]: https://salsa.debian.org/med-team/perm/-/jobs/1789569 [7]: https://salsa.debian.org/med-team/perm/-/blob/master/debian/copyright#L3 Nilesh
