Package: remind
Severity: important
Dear Maintainer,
Remind version 05.03.07 (trixie) has a potential buffer overflow in
the DUMPVARS command. If you dump a nonexistent variable, the assignment:
DBufValue(&buf)[VAR_NAME_LEN] = 0;
is intended to truncate the variable name before printing an error. However,
the buffer associated with buf may be as small as 32 bytes, and VAR_NAME_LEN
is 64, so we could write past the buffer.
This bug is not present in 04.02.03 (bookworm) or 03.03.01 (bullseye)
because those versions of Remind guaranteed that buf had at least a
128-byte buffer.
The bug is fixed in upstream 06.00.01 and a patch is below.
Regards,
Dianne.
--- src/var.c.orig 2025-08-18 10:56:18.000000000 -0400
+++ src/var.c 2025-08-19 12:52:34.777056953 -0400
@@ -786,9 +786,14 @@
DumpSysVarByName(DBufValue(&buf)+1);
} else {
v = FindVar(DBufValue(&buf), 0);
- DBufValue(&buf)[VAR_NAME_LEN] = 0;
- if (!v) fprintf(ErrFp, "%s %s\n",
+ if (!v) {
+ if (DBufLen(&buf) > VAR_NAME_LEN) {
+ /* Truncate over-long variable name */
+ DBufValue(&buf)[VAR_NAME_LEN] = 0;
+ }
+ fprintf(ErrFp, "%s %s\n",
DBufValue(&buf), UNDEF);
+ }
else {
fprintf(ErrFp, "%s ", v->name);
PrintValue(&(v->v), ErrFp);
-- System Information:
Debian Release: 13.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.16.1 (SMP w/64 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages remind depends on:
ii libc6 2.41-12
Versions of packages remind recommends:
pn remind-tools <none>
Versions of packages remind suggests:
pn tkremind <none>
pn wyrd <none>
