Package: nickle
Version: 2.90
Severity: normal
X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer,
I found a potential buffer overflow vulnerability in edit.c.
At line 30, the program reads the value of 'editor' from an environment
variable.
Since size of 'buf' is fixed to 1024, if a malicious attack puts a large string
to 'editor',
it may cause stack buffer overflow at line 34 which leads to buggy behavior.
------------------------------------------------
30 if (!(editor = getenv ("EDITOR")))
31 editor = DEFAULT_EDITOR;
32 if (!file_name)
33 file_name = "";
34 (void) sprintf (buf, "%s %s", editor, file_name);
------------------------------------------------
Thank you.
-- System Information:
Debian Release: 11.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages nickle depends on:
ii libc6 2.31-13
ii libreadline8 8.1-1
nickle recommends no packages.
nickle suggests no packages.
