[Libcdio-devel] RFC: vulnuerability patches (Wa: Vulnerable use of strcp

libcdio-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Libcdio-devel] RFC: vulnuerability patches (Wa: Vulnerable use of strcp

From:	Rocky Bernstein
Subject:	[Libcdio-devel] RFC: vulnuerability patches (Wa: Vulnerable use of strcpy in iso9660_fs.c)
Date:	Mon, 27 May 2024 18:02:51 -0400

In the mansour-gashabi-patch branch of libcdio, are some small changes to
the code to reduce some weaknesses in the libcdio code base.

I'd appreciate it if folks would review these changes. If you have problems
seeing the differences, just let me know.

If there is no comment or concern raised about thes, then after about a
week, I will merge this in master.

Attached is a more detailed report that Mansour Gashabi produced in
scanning the code for weaknesses.

Thanks.
- Rocky

On Thu, Apr 4, 2024 at 6:51 PM Rocky Bernstein <rocky@gnu.org> wrote:

> I just received a report about a place in libiso9660
> <https://git.savannah.gnu.org/cgit/libcdio.git/tree/lib/iso9660/iso9660_fs.c#n814>
> where we use strcpy() instead of strncpy().
>
> If someone has a suggestion for how to fix, please let me know. I can send
> a more detailed report for those interested. Just email me.
>

ALERT.pdf
Description: Adobe PDF document

[Prev in Thread]

Current Thread

[Next in Thread]

[Libcdio-devel] RFC: vulnuerability patches (Wa: Vulnerable use of strcpy in iso9660_fs.c), Rocky Bernstein <=

Prev by Date: Re: [Libcdio-devel] Request for Comments: converting libcdio-paranoia C style - which "standard" to use?
Previous by thread: [Libcdio-devel] Request for Comments: converting libcdio-paranoia C style - which "standard" to use?
Index(es):
- Date
- Thread