Hi, On Wed, Jan 31, 2024 at 10:05:04AM +0100, Robert Luberda wrote: > clone 1021738 -1 > retitle 1021738 man2html: CVE-2021-40647 > tags 1021738 +pending > retitle -1 man2html: CVE-2021-40648 > tags -1 +moreinfo > thanks > > Moritz Mühlenhoff pisze: > > Hi > > First of all I'm sorry for not taking care about it earlier, I didn't have > time for Debian work in the previous year. > > > > > The following vulnerabilities were published for man2html. > > > > CVE-2021-40647[0]: > Ok, this is quite easy to fix, I will upload fixed version soon. > > > CVE-2021-40648[1]: > > | In man2html 1.6g, a filename can be created to overwrite the previous > > | size parameter of the next chunk and the fd, bk, fd_nextsize, > > According to instructions given at > https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933 I tried to > reproduce this with the following commands: > file=$(perl -e 'print "A" x 132') > touch $file > man2html $file > I used man2html built with AddressSanitizer and it found only a few small > memory leaks coming from global variables. > > So I have no idea what really is wrong in this CVE. The source code > references given at the above link actually refer to calls to > fopen()/fclose() functions rather then to directly malloc() and free() > directly.
I tried to get an idea from the report, but I failed tbh. I asked though https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933?permalink_comment_id=4872855#gistcomment-4872855 . But maybe, as this won't crash the program, we could mark it as unimportant and having a negligible security impact. Regards, Salvatore