lout-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Buffer overflow in the StringQuotedWord() function

From: William Bader
Subject: Re: Buffer overflow in the StringQuotedWord() function
Date: Wed, 21 Oct 2020 03:37:15 +0000
I have active projects that use lout, and my diff file of small fixes and enhancement to lout-3.40 is now over 1300 lines.
Would it be possible to find a home for the 3.40 source on github or https://www.freedesktop.org/wiki/ so that patches can at least be posted as issues even if there is never another release?
Someone posted 3.39 as https://github.com/thektulu/lout
Someone posted some data fixes as https://github.com/EPadronU/lout
github has some other projects called lout, but I think that they are for Logging OUTput of web apps.
Has anyone looked at the memory issues?
StringQuotedWord lout-3.40/z39.c:254:66 looks easy to fix by checking that q < &buf[MAX_BUF-2] in the loop.
srcnext lout-3.40/z02.c:381:26 is more complicated. Does it have to check that limit > mem_block?
Regards, William

From: Lout-users <lout-users-bounces+williambader=hotmail.com@nongnu.org> on behalf of Jeffrey Kingston <jeffrey.kingston@sydney.edu.au>
Sent: Tuesday, October 20, 2020 7:52 PM
To: Matěj Cepl <mcepl@cepl.eu>
Cc: lout-users@nongnu.org <lout-users@nongnu.org>
Subject: Re: Buffer overflow in the StringQuotedWord() function
 
> Is anyone still maintaining lout?

I'm still around but I see little point in making new versions of Lout
at this late stage.  So I guess I'm saying that I'm not maintaining
Lout any longer.  If something serious turned up I suppose I
would gird my loins and fix it, but that's very unlikely.

Jeff Kingston


From: Lout-users on behalf of Matěj Cepl
Sent: Wednesday, October 21, 2020 2:20 AM
To: William Bader; Frederic Cambus; lout-users@nongnu.org
Subject: Re: Buffer overflow in the StringQuotedWord() function

William Bader píše v So 21. 12. 2019 v 11:59 +0000:
> Is anyone still maintaining lout?

That’s the question, isn’t it? We have in OpenSUSE still two
opened CVEs (https://bugzilla.suse.com/1159713 and
https://bugzilla.suse.com/1159714), Debian just removed lout
from its archive (https://bugs.debian.org/972182).

Is the project finally dead, and should I remove the package
from OpenSUSE as well (and Fedora, where I am a maintainer too)?

Best,

Matěj Cepl

--
https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8
 
This message has been composed of recycled electrons. None of
these electrons has been harmed or injured in the creation and
transmission of this message but they have been shamelessly
exploited for this use.

reply via email to
[Prev in Thread] Current Thread [Next in Thread]