Hi Matthew! >This prompted me to take a quick look at the source. There are multiple >trivially exploitable buffer overflows in this code. E.g. >src/cryptopass.c:147-149 [0]: > > usernamelen = strlen(argv[1]); > > memcpy(username, argv[1], usernamelen); > >You could argue this program is only intended to receive input from a trusted >user, but is a user meant to comprehend that passing large command line >arguments results in memory corruption? Obviously everyone is free to develop >code how they like, but IMHO security packages should be using fuzz testing, >that would easily find this issue. AFAICT this code base has no test suite. I >would suggest adding one as well as fuzzing this code before exposing the >downstream public to it. > > [0]: > https://github.com/basilgello/cryptopass/blob/master/src/cryptopass.c#L147-L149
Ouch! That was kinda chilling! :) Finding bugs for others does not guarantee yourself from doing your own ones. > I would suggest adding one as well as fuzzing this code before exposing the > downstream public to it. Will fix the issues and add testsuite && fuzzcorp ASAP. BTW I fixed all the stuff GCC 8.3.0 reported me with FORTIFY_SOURCE=2 before pushing code to GitHub. Did you use GCC 10? Cheers, -- Vasyl Gello
