Package: manpages-dev Version: 3.51-1 Severity: normal The readdir(3) / readdir_r(3) man page says about readdir_r():
Since POSIX.1 does not specify the size of the d_name field, and other nonstandard fields may precede that field within the dirent structure, portable applications that use readdir_r() should allocate the buffer whose address is passed in entry as follows: name_max = pathconf(dirpath, _PC_NAME_MAX); if (name_max == -1) /* Limit not defined, or error */ name_max = 255; /* Take a guess */ len = offsetof(struct dirent, d_name) + name_max + 1; entryp = malloc(len); But if name_max is wrong and a file has a name greater than what has been allocated for d_name, this will yield a buffer overflow. Thus the man page should strongly discourage the use of readdir_r() for security reasons. See http://elliotth.blogspot.fr/2012/10/how-not-to-use-readdirr3.html Note that even if pathconf doesn't fail, this is not safe due to the race condition (as mentioned at the above URL) and also because _PC_NAME_MAX just means "the maximum length of a filename in the directory path [or fd] that the process is allowed to create."; other processes may have created longer filenames, and indeed the pathconf(3) man page says: Files with name lengths longer than the value returned for _name_ equal to _PC_NAME_MAX may exist in the given directory. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9-1-amd64 (SMP w/8 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages manpages-dev depends on: ii manpages 3.51-1 manpages-dev recommends no packages. Versions of packages manpages-dev suggests: ii man-db [man-browser] 2.6.5-2 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org