Package: nickle Version: 2.90 Severity: normal X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer, I found a potential buffer overflow vulnerability in edit.c. At line 30, the program reads the value of 'editor' from an environment variable. Since size of 'buf' is fixed to 1024, if a malicious attack puts a large string to 'editor', it may cause stack buffer overflow at line 34 which leads to buggy behavior. ------------------------------------------------ 30 if (!(editor = getenv ("EDITOR"))) 31 editor = DEFAULT_EDITOR; 32 if (!file_name) 33 file_name = ""; 34 (void) sprintf (buf, "%s %s", editor, file_name); ------------------------------------------------ Thank you. -- System Information: Debian Release: 11.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages nickle depends on: ii libc6 2.31-13 ii libreadline8 8.1-1 nickle recommends no packages. nickle suggests no packages.