[Pkg-scicomp-devel] Bug#441478: [ptb at inv.it.uc3m.es: Bug#441478: libglpk0: security flaw buffer overflow in glplib05.c xvprintf]

[Rafael Laboissiere]

* Andrew Makhorin <mao at gnu.org> [2007-09-15 15:59]:

> > We are not talking about normal users following the conventions.  We are
> > talking about a malicious hacker that could exploit the buffer overflow
> > vulnerability currently in GLPK.  I do not know much about such exploits
> > (and have no interest in learning them either) but knowing that Debian is
> > currently distributing libglpk with such a vulnerability makes me really
> > nervous.
> 
> I do not think that that could jeopardize the system, only the application.

I would not underestimate the creativity of the malicious crackers nowadays.
Buffer overflow vulnerabilities are carefully addressed.  A search at the
cve.mitre.org website for "buffer overflow" [1] yields 4840 hits.

[1] http://www.google.com/custom?q=buffer+overflow&sa=Google+Search&cof=S%3Ahttp%3A%2F%2Fcve.mitre.org%3BGL%3A0%3BAH%3Aleft%3BLC%3A%23009%3BL%3Ahttp%3A%2F%2Fcve.mitre.org%2Fimages%2Fgoogle_cvelogo.jpg%3BAWFID%3Adf91761661c84389%3B&domains=cve.mitre.org&sitesearch=cve.mitre.org

> > I think that I will patch your sources for the Debian package along the
> > vsnprintf lines suggested by Peter.  I would encourage you to fix the
> > problem in the GLPK source.
> 
> Okay. I will make necessary changes to use vsnprintf rather than vsprintf
> in the next release.

Thanks. In the meanwhile, I uploaded the patched version 4.21-2 of the
Debian package.

-- 
Rafael