Package: ispell Version: 3.4.02 Severity: normal X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer, there are potential buffer overflow vulnerabilities in ispell. In tree.c:163, the program reads the value of 'h' from an environment variable. Then at line 219 and 278, it is used to sprintf with no length check. Since the size of 'personaldict' is fixed, it may cause buffer overflow which leads to buggy behavior. -------------------------------------------------- 163 if ((h = getenv (HOME)) == NULL) ... 219 (void) sprintf (personaldict, "%s/%s%s", h == NULL ? "" : h, 220 DEFPDICT, LibDict); ... 278 (void) sprintf (personaldict, "%s/%s", h, p); -------------------------------------------------- Similar issus are appear in ispell.c -------------------------------------------------- 295 p = getenv (DICTIONARYVAR); 296 if (p != NULL) 297 { 298 if (last_slash (p) != NULL) 299 (void) strcpy (hashname, p); 300 else 301 (void) sprintf (hashname, "%s/%s", libdir, p); -------------------------------------------------- 1013 (void) sprintf (logfilename, "%s/%s/%s", 1014 getenv ("HOME") == NULL ? "" : getenv ("HOME"), 1015 DEFLOGDIR, LibDict); -------------------------------------------------- Thank you. -- System Information: Debian Release: 11.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages ispell depends on: ii libc6 2.31-13 ii libtinfo6 6.2+20201114-2 Versions of packages ispell recommends: pn iamerican | ispell-dictionary <none> pn wamerican | wordlist <none> Versions of packages ispell suggests: pn spell <none>