CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Debian Bug report logs - #352202
CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Date: Fri, 10 Feb 2006 12:49:01 +0100

Package: tcc
Version: 0.9.23-2
Severity: grave
Tags: security
Justification: user security hole

"XFocus Security" discovered that tcc incorrectly evaluates certain sizeof()
expressions, which may lead integer overflows. Please see 
http://www.securityfocus.com/archive/1/archive/1/424257/100/0/threaded
for details.

This has been assigned CVE-2006-0635, please mention it in the changelog when
fixing it.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages tcc depends on:
ii  libc6                         2.3.5-13   GNU C Library: Shared libraries an

Versions of packages tcc recommends:
ii  libc6-dev [libc-dev]          2.3.5-13   GNU C Library: Development Librari

-- no debconf information

Message #10 received at 352202@bugs.debian.org (full text, mbox, reply):

From: Romain Francoise <rfrancoise@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 352202@bugs.debian.org

Subject: Re: Bug#352202: CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Date: Sun, 26 Feb 2006 13:01:47 +0100

Update about this bug: I notified upstream about it two weeks ago but
nobody seemed to care; the project is pretty much dead upstream.

That being said, I'm not sure that the issue is RC anyway, the problem
remains theoretical and I don't think anyone in their right mind would
use tcc to compile production (i.e. security-sensitive) code...

What do you think?

-- 
  ,''`.
 : :' :        Romain Francoise <rfrancoise@debian.org>
 `. `'         http://people.debian.org/~rfrancoise/
   `-

Message #15 received at 352202@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Romain Francoise <rfrancoise@debian.org>

Cc: 352202@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#352202: CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Date: Sun, 26 Feb 2006 20:14:55 +0100

* Romain Francoise:

> Update about this bug: I notified upstream about it two weeks ago but
> nobody seemed to care; the project is pretty much dead upstream.

Do we really want to release software which is dead upstream?

> That being said, I'm not sure that the issue is RC anyway, the problem
> remains theoretical and I don't think anyone in their right mind would
> use tcc to compile production (i.e. security-sensitive) code...
>
> What do you think?

I think it's an ordinary wrong-code bug.  We need to draw a line
somewhere; otherwise *any* bug in GCC is a security bug, which makes
no sense.

Message #20 received at 352202@bugs.debian.org (full text, mbox, reply):

From: Romain Francoise <rfrancoise@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 352202@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#352202: CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Date: Sun, 05 Mar 2006 20:50:07 +0100

Florian Weimer <fw@deneb.enyo.de> writes:

> I think it's an ordinary wrong-code bug.  We need to draw a line
> somewhere; otherwise *any* bug in GCC is a security bug, which makes
> no sense.

Yeah.

Moritz didn't reply so I'll just go ahead and lower the severity of this
bug to important.

-- 
  ,''`.
 : :' :        Romain Francoise <rfrancoise@debian.org>
 `. `'         http://people.debian.org/~rfrancoise/
   `-

Message #27 received at 352202@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Romain Francoise <rfrancoise@debian.org>

Cc: Florian Weimer <fw@deneb.enyo.de>, 352202@bugs.debian.org

Subject: Re: Bug#352202: CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Date: Mon, 6 Mar 2006 10:09:40 +0100

Romain Francoise wrote:
> > I think it's an ordinary wrong-code bug.  We need to draw a line
> > somewhere; otherwise *any* bug in GCC is a security bug, which makes
> > no sense.
> 
> Yeah.
> 
> Moritz didn't reply so I'll just go ahead and lower the severity of this
> bug to important.

Sorry, I've been busy. Judging from the posted test code it seems as if
tcc returns int instead of size_t for sizeof; I'll try to cook up a patch
before Etch.
If no solution can be found until Etch it would still be good to reflect
tcc's state in the package description ("safe ANSI C compiler".) and add
a note that it's not ready for production use.

Cheers,
        Moritz

Message #32 received at 352202@bugs.debian.org (full text, mbox, reply):

From: Romain Francoise <rfrancoise@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Florian Weimer <fw@deneb.enyo.de>, 352202@bugs.debian.org

Subject: Re: Bug#352202: CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Date: Mon, 06 Mar 2006 10:26:37 +0100

Moritz Muehlenhoff <jmm@inutil.org> writes:

> Judging from the posted test code it seems as if tcc returns int
> instead of size_t for sizeof;

Yes, that's the problem, as noted in:

  http://lists.gnu.org/archive/html/tinycc-devel/2006-02/msg00001.html

> If no solution can be found until Etch it would still be good to
> reflect tcc's state in the package description ("safe ANSI C
> compiler".) and add a note that it's not ready for production use.

Agreed.

-- 
  ,''`.
 : :' :        Romain Francoise <rfrancoise@debian.org>
 `. `'         http://people.debian.org/~rfrancoise/
   `-

Message #37 received at 352202@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Romain Francoise <rfrancoise@debian.org>

Cc: 352202@bugs.debian.org

Subject: Re: Bug#352202: CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Date: Sun, 17 Sep 2006 01:24:56 +0200

Romain Francoise wrote:
> > Judging from the posted test code it seems as if tcc returns int
> > instead of size_t for sizeof;
> 
> Yes, that's the problem, as noted in:
> 
>   http://lists.gnu.org/archive/html/tinycc-devel/2006-02/msg00001.html
> 
> > If no solution can be found until Etch it would still be good to
> > reflect tcc's state in the package description ("safe ANSI C
> > compiler".) and add a note that it's not ready for production use.
> 
> Agreed.

Can you please add such a note? I don't think I'm going to have enough time
to prepare a patch for this.

Cheers,
        Moritz

Message #42 received at 352202@bugs.debian.org (full text, mbox, reply):

From: Romain Francoise <rfrancoise@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 352202@bugs.debian.org

Subject: Re: Bug#352202: CVE-2006-0635: Incorrect parsing of sizeof() may introduce integer overflows

Date: Sat, 23 Sep 2006 23:02:30 +0200

Moritz Muehlenhoff <jmm@inutil.org> writes:

> Can you please add such a note? I don't think I'm going to have enough
> time to prepare a patch for this.

Ok, done.

Cheers,

-- 
  ,''`.
 : :' :        Romain Francoise <rfrancoise@debian.org>
 `. `'         http://people.debian.org/~rfrancoise/
   `-

Message #49 received at 352202-close@bugs.debian.org (full text, mbox, reply):

From: Aurélien GÉRÔME <ag@roxor.cx>

To: 352202-close@bugs.debian.org

Subject: Bug#352202: fixed in tcc 0.9.24~cvs20070502-1

Date: Tue, 08 May 2007 10:32:03 +0000

Source: tcc
Source-Version: 0.9.24~cvs20070502-1

We believe that the bug you reported is fixed in the latest version of
tcc, which is due to be installed in the Debian FTP archive:

tcc_0.9.24~cvs20070502-1.diff.gz
  to pool/main/t/tcc/tcc_0.9.24~cvs20070502-1.diff.gz
tcc_0.9.24~cvs20070502-1.dsc
  to pool/main/t/tcc/tcc_0.9.24~cvs20070502-1.dsc
tcc_0.9.24~cvs20070502-1_i386.deb
  to pool/main/t/tcc/tcc_0.9.24~cvs20070502-1_i386.deb
tcc_0.9.24~cvs20070502.orig.tar.gz
  to pool/main/t/tcc/tcc_0.9.24~cvs20070502.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 352202@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurélien GÉRÔME <ag@roxor.cx> (supplier of updated tcc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 08 May 2007 02:36:47 +0200
Source: tcc
Binary: tcc
Architecture: source i386
Version: 0.9.24~cvs20070502-1
Distribution: unstable
Urgency: low
Maintainer: Aurélien GÉRÔME <ag@roxor.cx>
Changed-By: Aurélien GÉRÔME <ag@roxor.cx>
Description: 
 tcc        - the smallest ANSI C compiler
Closes: 352202 418360 419203 419423 420643
Changes: 
 tcc (0.9.24~cvs20070502-1) unstable; urgency=low
 .
   [ Aurélien GÉRÔME ]
   * New maintainer and co-maintainer. (Closes: #420643)
   * Add the XS-Vcs-Git and XS-Vcs-Browser fields to debian/control.
   * Update homepage with the tiny URL in debian/control.
   * Remove unused ${misc:Depends} from debian/control.
   * Short description in debian/control is not a sentence, so start
     by a lowercase.
   * Remove unused debhelper tools from debian/rules.
   * Run test suite in debian/rules.
   * Remove .pc/ directory after build in the clean target of
     debian/rules.
   * Update debian/copyright.
   * TinyCC is no longer maintained upstream: use the latest CVS which
     contains some fixes. See the upstream Changelog for details.
     + Fix SIGSEGV due to tcc_load_dll() which read past the end of
       a buffer. (Closes: #418360)
   * Add quilt support. (Closes: #419423)
     Break out monolithic patch into the following patches:
     + buildsys.diff:
       - use "-O2 -g -Wall" as the Debian Policy recommends;
     + fhs.diff:
       - use FHS paths in examples and documentation;
     + 259619_error_init_char_array_with_non_literal.diff;
     + 283066_add_va_copy_define.diff:
       - disabled, merged upstream;
     + 322913_fix_casts_from_fp_to_bool.diff;
     + 372908_add_kfreebsd_arch.diff.
   * Add 352202_fix_int_overflow.diff to fix CVE-2006-0635, thanks to
     Rob Landley. (Closes: #352202)
     + The sizeof, __alignof, and __alignof__ statements now return
       an unsigned int.
     + Add a test case for this vulnerability.
 .
   [ Thomas Preud'homme ]
   * Add 419203_fix_sizeof_parse_error.diff to fix a bad parsing in
     sizeof. (Closes: #419203)
     + Add two tests for sizeof without parenthesis.
Files: 
 67330c59a1a59f101702456622d17112 762 devel optional tcc_0.9.24~cvs20070502-1.dsc
 4d3156868bbd386780b4da78477fcd5e 404434 devel optional tcc_0.9.24~cvs20070502.orig.tar.gz
 884821ab9759acd24608a6b929903e0e 8470 devel optional tcc_0.9.24~cvs20070502-1.diff.gz
 91f542ece0cc80d18ba1f9935b63af83 121628 devel optional tcc_0.9.24~cvs20070502-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGQEEjzWFP1/XWUWkRAkHXAJ9a14O6MBPA8a7MHE24QRiZc8yHEACgrDwW
juCpte2t8bno/JDoN6B8b6Q=
=Rba/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.