https://bugzilla.redhat.com/show_bug.cgi?id=1654670 Petr Pisar <ppisar@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+ --- Comment #11 from Petr Pisar <ppisar@xxxxxxxxxx> --- GCC warns: u2f.c: In function ‘u2fclib_verifyRegistration’: u2f.c:186:5: warning: ‘strncpy’ specified bound 1000 equals destination size [-Wstringop-truncation] 186 | strncpy(kh, u2fs_get_registration_keyHandle(reg_result), 1000); | ^ u2fs_get_registration_keyHandle() returns a point to a buffer which is according to current libu2f-server sources allocated to 2000 B. It contains a base64-encoded key. If the encoding form exceeds 1000 B, the strncpy() will miss a trailing null byte and a u2fclib_verifyRegistration() of this package will in turn read over the buffer end with strlen(). The longest ECC keys used today have 512 bits. Nevertheless I recommend fixing this future-possible buffer overflow. All tests pass. Ok. $ rpmlint perl-Crypt-U2F-Server.spec ../SRPMS/perl-Crypt-U2F-Server-0.45-2.fc40.src.rpm ../RPMS/x86_64/perl-Crypt-U2F-Server-* ======================================== rpmlint session starts ======================================= rpmlint: 2.4.0 configuration: /usr/lib/python3.12/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-legacy-licenses.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 31, packages: 5 ========= 4 packages and 1 specfiles checked; 0 errors, 0 warnings, 0 badness; has taken 0.4 s ======== rpmlint is Ok. $ rpm -q -lv -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib/.build-id drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib/.build-id/b6 lrwxrwxrwx 1 root root 71 Oct 4 02:00 /usr/lib/.build-id/b6/fe4716d766da3ca4542cfd7aef6dbfa386456f -> ../../../../usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/Server.so drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/Crypt drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/Crypt/U2F drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server -rw-r--r-- 1 root root 6352 May 4 2019 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server.pm -rw-r--r-- 1 root root 15347 May 4 2019 /usr/lib64/perl5/vendor_perl/Crypt/U2F/Server/Simple.pm drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server -rwxr-xr-x 1 root root 27864 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/Server.so -rw-r--r-- 1 root root 95 Oct 4 02:00 /usr/lib64/perl5/vendor_perl/auto/Crypt/U2F/Server/autosplit.ix drwxr-xr-x 2 root root 0 Oct 4 02:00 /usr/share/doc/perl-Crypt-U2F-Server -rw-r--r-- 1 root root 1077 May 4 2019 /usr/share/doc/perl-Crypt-U2F-Server/Changes -rw-r--r-- 1 root root 746 Mar 12 2019 /usr/share/doc/perl-Crypt-U2F-Server/README -rw-r--r-- 1 root root 2932 Oct 4 02:00 /usr/share/man/man3/Crypt::U2F::Server.3pm.gz -rw-r--r-- 1 root root 4640 Oct 4 02:00 /usr/share/man/man3/Crypt::U2F::Server::Simple.3pm.gz File layout and permissions are Ok. $ rpm -q --requires -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm | sort -f | uniq -c 1 libc.so.6()(64bit) 1 libc.so.6(GLIBC_2.2.5)(64bit) 1 libc.so.6(GLIBC_2.3.4)(64bit) 1 libc.so.6(GLIBC_2.4)(64bit) 1 libperl.so.5.38()(64bit) 1 libu2f-server.so.0()(64bit) 1 libu2f-server.so.0(U2F_SERVER_0.0.0)(64bit) 1 perl(:MODULE_COMPAT_5.38.0) 1 perl(:VERSION) >= 5.18.1 1 perl(AutoLoader) 1 perl(Carp) 1 perl(Crypt::U2F::Server) 1 perl(Exporter) 1 perl(strict) 1 perl(warnings) 1 perl(XSLoader) 1 perl-libs 1 rpmlib(CompressedFileNames) <= 3.0.4-1 1 rpmlib(FileDigests) <= 4.6.0-1 1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 1 rpmlib(PayloadIsZstd) <= 5.4.18-1 1 rtld(GNU_HASH) Binary requires are Ok. $ rpm -q --provides -p ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm | sort -f | uniq -c 1 perl(Crypt::U2F::Server) = 0.45 1 perl(Crypt::U2F::Server::Simple) = 0.45 1 perl-Crypt-U2F-Server = 0.45-2.fc40 1 perl-Crypt-U2F-Server(x86-64) = 0.45-2.fc40 Binary provides are Ok. $ resolvedeps rawhide ../RPMS/x86_64/perl-Crypt-U2F-Server-0.45-2.fc40.x86_64.rpm Binary dependencies are resolvable. Ok. The package builds in Fedora 40 (https://koji.fedoraproject.org/koji/taskinfo?taskID=108130579). Ok. The package is in line with Fedora and Perl packaging guidelines. Please report the potential buffer overflow to the upstream. This package is APPROVED. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=1654670 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%201654670%23c11 _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
