|
| From: | Jeffrey Kingston |
| Subject: | Re: Buffer overflow in the StringQuotedWord() function |
| Date: | Sun, 22 Dec 2019 21:02:23 +0000 |
|
Dear all,
I'm still around but I am reluctant to change Lout after all this time. Can
someone prove to me that the issues identified in these emails matter
enough to warrant a new version of a piece of software that has not
changed for years?
Jeff
From: Lout-users <lout-users-bounces+jeff=address@hidden> on behalf of William Bader <address@hidden>
Sent: Saturday, 21 December 2019 10:59 PM To: Frederic Cambus <address@hidden>; address@hidden <address@hidden> Subject: Re: Buffer overflow in the StringQuotedWord() function
Is anyone still maintaining lout?
I have attached patches that fix some graph issues and that add some features.
Is there a consensus how to fix the two overflows that you reported?
The easiest way is probably truncating the buffer and showing a warning, but that might lose text.
Other places in lout might have the same buffer limit, so allocating and passing a larger buffer would take some analysis to ensure that it wouldn't cause a buffer overflow somewhere else.
Regards, William
From: Lout-users <lout-users-bounces+williambader=address@hidden> on behalf of Frederic Cambus <address@hidden>
Sent: Saturday, December 21, 2019 5:27 AM To: address@hidden <address@hidden> Subject: Re: Buffer overflow in the StringQuotedWord() function On Fri, Dec 20, 2019 at 07:12:14PM +0100, Frederic Cambus wrote:
> While fuzzing lout 3.40 with Honggfuzz, I found a buffer overflow in > the StringQuotedWord() function, in z39.c. This issue has been assigned CVE-2019-19917. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19917 |
| [Prev in Thread] | Current Thread | [Next in Thread] |