Source: rplay
Version: 3.3.2-21
Severity: serious
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
I've had a very quick look at the rplay source and found:
* In rplay/rplay.c line 600, the use of atoi() on something that
looks like unsanitized data from a remote server:
remote_size = -1;
p = rptp_parse(response, "size");
if (p)
remote_size = atoi(p);
* Various malloc() without a check of failure, such as:
contrib/rplaytool-1.1/misc.c: INFO *info = (INFO *) malloc (sizeof (INFO));
contrib/rplaytool-1.1/misc.c-
contrib/rplaytool-1.1/misc.c- info->filename[0] = '\0';
contrib/rplaytool-1.1/rplaytool_stubs.c: sp = (SPOOL *) malloc
(sizeof (SPOOL));
contrib/rplaytool-1.1/rplaytool_stubs.c- sp->id = id;
contrib/xjukebox-0.9/xjukebox.c- if (*list != NULL)
contrib/xjukebox-0.9/xjukebox.c- *list = (spool_info **)realloc(*list,
(*items_count + 1) *
--
contrib/xjukebox-0.9/xjukebox.c: *list = (spool_info
**)malloc(sizeof(spool_info *));
contrib/xjukebox-0.9/xjukebox.c- }
contrib/xjukebox-0.9/xjukebox.c- (*list)[*items_count] = new_item;
contrib/xjukebox-0.9/xjukebox.c- if ((*nlist != NULL) && (*nlist !=
empty_list))
contrib/xjukebox-0.9/xjukebox.c- *nlist = (String *)realloc(*nlist,
(*items_count + 1) * sizeof(String));
contrib/xjukebox-0.9/xjukebox.c- else
contrib/xjukebox-0.9/xjukebox.c: *nlist = (String *)malloc(sizeof(String));
contrib/xjukebox-0.9/xjukebox.c- (*nlist)[*items_count] = new_item->sound;
contrib/xjukebox-0.9/xjukebox.c: new_item = (spool_info
*)malloc(sizeof(spool_info));
contrib/xjukebox-0.9/xjukebox.c-
contrib/xjukebox-0.9/xjukebox.c- new_item->sid = atoi (1 + rptp_parse
(new_info, "id"));
librplay/async.c: new->data = malloc(nbytes);
librplay/async.c- memcpy(new->data, ptr, nbytes);
librplay/async.c: new = (ibuf *) malloc(sizeof(ibuf));
librplay/async.c- new->next = NULL;
librplay/rplay.c: rp->data = (char *) malloc(rp->data_size);
librplay/rplay.c- memcpy(rp->data, packet, rp->data_size);
rplay/rplay.c: name = (char *) malloc(strlen(cwd) +
strlen(argv[optind]) + 2);
rplay/rplay.c- strcpy(name, cwd);
rplayd/rplayd.c: s = (SERVER *) malloc(sizeof(SERVER));
rplayd/rplayd.c- s->next = NULL;
rx/rxanal.c: *subexps = (struct rexp_node **)malloc (sizeof (struct
rexp_node *) * *re_nsub);
rx/rxanal.c- else
rx/rxanal.c- *subexps = (struct rexp_node **)realloc (*subexps,
rx/rxanal.c- sizeof (struct
rexp_node *) * *re_nsub);
rx/rxanal.c- }
rx/rxanal.c- }
rx/rxanal.c- if (node->params.pair.left)
rx/rxanal.c- id = rx_posix_analyze_rexp (subexps, re_nsub,
node->params.pair.left, id);
rx/rxnfa.c: consed = (struct rx_se_list *) malloc (sizeof (*consed));
rx/rxnfa.c- *consed = template;
rx/rxnode.c: n = (struct rexp_node *) malloc (sizeof (*n));
rx/rxnode.c- rx_bzero ((char *)n, sizeof (*n));
rx/rxunfa.c: cr = (struct rx_cached_rexp *)malloc (sizeof (*cr));
rx/rxunfa.c- rx_bzero ((char *)cr, sizeof (*cr));
Has the code been audited?
-- System Information:
Debian Release: forky/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'),
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.7.12-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
