Package: weborf
Version: 0.20
Severity: grave
Tags: patch upstream security
X-Debbugs-Cc: tipos...@tiscali.it
Dear Maintainer,
there is an error in the code to execute cgi.
Best
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages weborf depends on:
ii libc6 2.37-12
ii libmagic1 1:5.45-2
ii libssl3 3.0.11-1
weborf recommends no packages.
Versions of packages weborf suggests:
pn php-cgi <none>
-- no debconf information
commit 49824204add55aab0568d90a6b1e7c822d32120d
Author: Salvo 'LtWorf' Tomaselli <tipos...@tiscali.it>
Date: Wed Oct 11 23:48:19 2023 +0200
Solve issue with unterminated buffer
diff --git a/cgi.c b/cgi.c
index 08d664d..f8276b1 100644
--- a/cgi.c
+++ b/cgi.c
@@ -233,8 +233,7 @@ static inline void cgi_execute_child(connection_t*
connection_prop,string_t* pos
environ = NULL; //Clear env vars
if (strlen(executor) == 0) {
- executor = malloc(connection_prop->strfile_len + 1);
- strncpy(executor, connection_prop->strfile,
connection_prop->strfile_len);
+ executor = connection_prop->strfile;
}
cgi_set_http_env_vars(connection_prop->http_param);
