Your message dated Tue, 20 Jan 2026 18:37:05 +0000
with message-id <[email protected]>
and subject line Bug#1124395: Removed package(s) from unstable
has caused the Debian Bug report #1109793,
regarding pfqueue: Potential grave misuse of memcpy in backends/pfq_socket.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109793: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109793
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pfqueue
Version: 0.5.6-9
Severity: grave
Dear pfqueue package maintainers,
I am writing to raise your awareness of a potential grave misuse
of memcpy() in backends/pfq_socket.c.
Looking at
https://sources.debian.org/src/pfqueue/0.5.6-9/backends/pfq_socket.c/#L116-L118
:
memcpy ( (struct sockaddr*)&svra.sin_addr.s_addr,
(struct hostent*)svr->h_addr,
(struct hostent*)svr->h_length );
It becomes obvious that the 3rd parameter of memcpy()
is missing necessary brackets. It should be ((struct hostent*)svr)->h_length.
It is a dangerous typo and could easily cause segfaults and/or program
misbehaving. The second parameter is also having a wrong type conversion.
As such, I believe the source code of pfqueue is not robust enough for
releasing with Debian in its current shape. It is also dated with no
maintenance either in Debian or upstream in the last 10 years.
Probably it's time to drop it from Debian's archive.
Thanks,
Boyuan Yang
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Version: 0.5.6-9.2+rm
Dear submitter,
as the package pfqueue has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1124395
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---
