A user had submitted a patch for ctorrent which came from openembedded. bug #98929 While reviewing the patch I noticed that one of things included in it was an update for the getwd() function to use getcwd(). Upon further investigation it's pretty clear that it's very easy to overflow in the btFiles::_btf_recurses_directory() function. The likely hood of it overflowing in real life situations I have no idea. I've never used this software in my life and really have no desire to. Example of how such code can be overflowed is as. #include <unistd.h> #define MAXPATHLEN 1024 int recurses_directory(char *cur_path) { char full_cur[MAXPATHLEN]; char fn[MAXPATHLEN]; if( !getwd(full_cur) ) return -1; if( cur_path ) strcpy(fn, full_cur); return 0; } int main() { int i; for (i = 0; i != MAXPATHLEN+16; i++) { mkdir("A", 0755); chdir("A"); } recurses_directory(NULL); return 0; } I think there are probably a few other problems with this package as I see unchecked strcpy() calls with fixed size buffers all over the place. I'm not really wanting to invest anymore of my time on it as my vote would be for preemptive p.mask/removal. If any of our auditors wishes to audit feel free.
the patch in question is on Bug 98929 http://bugs.gentoo.org/attachment.cgi?id=63343&action=view
Not sure it's a good idea to patch only the one we saw. This needs a full audit or a removal. And we should perhaps package.mask it until this is done ? net-p2p : what's your position on this package ?
yeah, but you're example is only wrong as you've defined MAXPATHLEN as 1024, when the MAXPATHLEN on your system is longer. a cursory glance suggests ctorrent is using the limits.h definition, so creating a longer path is not possible... Looks safe to me, but Rob is the C++ auditor...any opinion Rob? :)
Ahh your right tavis. that 1024 came from within an #ifdef WINDOWS Changing Component to Auditing and downgrading Severity
Seems ok to me. I'd like to have a little more time to check the other code though, so please leave the bug open for a little bit.
don't really have time for this right now, the issue the bug was filed for seems not to be a concern, so I'll just close.
