[Pkg-scicomp-devel] Bug#441478: [ptb at inv.it.uc3m.es: Bug#441478: libglpk0: security flaw buffer overflow in glplib05.c xvprintf]
Rafael Laboissiere
rafael at debian.org
Sat Sep 15 12:17:47 UTC 2007
* Andrew Makhorin <mao at gnu.org> [2007-09-15 15:59]:
> > We are not talking about normal users following the conventions. We are
> > talking about a malicious hacker that could exploit the buffer overflow
> > vulnerability currently in GLPK. I do not know much about such exploits
> > (and have no interest in learning them either) but knowing that Debian is
> > currently distributing libglpk with such a vulnerability makes me really
> > nervous.
>
> I do not think that that could jeopardize the system, only the application.
I would not underestimate the creativity of the malicious crackers nowadays.
Buffer overflow vulnerabilities are carefully addressed. A search at the
cve.mitre.org website for "buffer overflow" [1] yields 4840 hits.
[1] http://www.google.com/custom?q=buffer+overflow&sa=Google+Search&cof=S%3Ahttp%3A%2F%2Fcve.mitre.org%3BGL%3A0%3BAH%3Aleft%3BLC%3A%23009%3BL%3Ahttp%3A%2F%2Fcve.mitre.org%2Fimages%2Fgoogle_cvelogo.jpg%3BAWFID%3Adf91761661c84389%3B&domains=cve.mitre.org&sitesearch=cve.mitre.org
> > I think that I will patch your sources for the Debian package along the
> > vsnprintf lines suggested by Peter. I would encourage you to fix the
> > problem in the GLPK source.
>
> Okay. I will make necessary changes to use vsnprintf rather than vsprintf
> in the next release.
Thanks. In the meanwhile, I uploaded the patched version 4.21-2 of the
Debian package.
--
Rafael
More information about the Pkg-scicomp-devel
mailing list