Hi, On Sat, Feb 03, 2024 at 04:29:17PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Wed, Jan 31, 2024 at 10:05:04AM +0100, Robert Luberda wrote: > > clone 1021738 -1 > > retitle 1021738 man2html: CVE-2021-40647 > > tags 1021738 +pending > > retitle -1 man2html: CVE-2021-40648 > > tags -1 +moreinfo > > thanks > > > > Moritz Mühlenhoff pisze: > > > > Hi > > > > First of all I'm sorry for not taking care about it earlier, I didn't have > > time for Debian work in the previous year. > > > > > > > > The following vulnerabilities were published for man2html. > > > > > > CVE-2021-40647[0]: > > Ok, this is quite easy to fix, I will upload fixed version soon. > > > > > CVE-2021-40648[1]: > > > | In man2html 1.6g, a filename can be created to overwrite the previous > > > | size parameter of the next chunk and the fd, bk, fd_nextsize, > > > > According to instructions given at > > https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933 I tried to > > reproduce this with the following commands: > > file=$(perl -e 'print "A" x 132') > > touch $file > > man2html $file > > I used man2html built with AddressSanitizer and it found only a few small > > memory leaks coming from global variables. > > > > So I have no idea what really is wrong in this CVE. The source code > > references given at the above link actually refer to calls to > > fopen()/fclose() functions rather then to directly malloc() and free() > > directly. > > I tried to get an idea from the report, but I failed tbh. I asked > though > https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933?permalink_comment_id=4872855#gistcomment-4872855 > . > > But maybe, as this won't crash the program, we could mark it as > unimportant and having a negligible security impact.
This should have actually gone to #1062069. Regards, Salvatore
