|
Bugzilla – Full Text Bug Listing |
| Summary: | No checks for buffer() | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Dhiraj <mishra.dhiraj95> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED INVALID | ||
| Severity: | high | ||
| Priority: | low | ||
| Version: | 1.8.22 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
If you take a closer look you will see that code is only used when NO_snprintf or NO_vsnprintf is defined. Those are never defined when zlib is built as part of sudo. |
Hi Team, The code /lib/zlib/gzlib.c:614 i.e strcat(state->msg, msg); Does not check for buffer overflows when copying to destination which is [MS-banned] (CWE-120). using snprintf, strcpy_s, or strlcpy (strncpy easily misused). Request team to please have a look. Thank you Dhiraj