Description of problem: I am using mirrordir tool to mirror some ftp repositories. with the mageia 7 package, I got the following error message : # mirrordir -v -t ftp://mirror.in2p3.fr/pub/linux/CentOS/7.7.1908/updates/x86_64/Packages . mirrordir: ---verbose--- ftpfs: making connection to mirror.in2p3.fr mirrordir: ---verbose--- ftpfs: sending login name mirrordir: ---verbose--- ftpfs: sending user password mirrordir: ---verbose--- ftpfs: logged in ftpfs: got listing *** buffer overflow detected ***: mirrordir terminated Abandon (core dumped) I have rebuild on mageia 7 (from src.rpm) the 0.10.49-25 version (released in mageia 6) and this version is working Version-Release number of selected component (if applicable): mirrordir-0.10.49-27.mga7 How reproducible: Steps to Reproduce: 1. mirrordir -v -t ftp://mirror.in2p3.fr/pub/linux/CentOS/7.7.1908/updates/x86_64/Packages . 2. 3.
Thank you for reporting the fault; and building a fix. The fault is exactly reproduceable as described [note the final '.' ; -v = verbose, -t = test] with mirrordir-0.10.49-27.mga7.x86_64 The package has no maintainer, so assigning this globally.
Assignee: bugsquad => pkg-bugs
It must have been our optflags that broke it: http://svnweb.mageia.org/packages?view=revision&revision=1148574
CC: (none) => geiger.david68210
I have removed the optflags from spec file, rebuild the mageia 7 package, and YES, it works !
Suggested advisory: ======================== The updated packages fix a buffer overflow that leads to a crash of "mirrordir" command. References: https://bugs.mageia.org/show_bug.cgi?id=25748 ======================== Updated packages in core/updates_testing: ======================== mirrordir-0.10.49-27.1.mga7 lib(64)diffie1-0.10.49-27.1.mga7 lib(64)diffie-devel-0.10.49-27.1.mga7 from SRPMS: mirrordir-0.10.49-27.1.mga7.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugs
IMO the fix is not correct. It makes pkg to work, but we should fix the code instead of removing our compiler flags. .spec could be also simplified. -D_foo=bar flags should go to CPPFLAGS instead of CFLAGS. And instead of usind sed with %optflags, one should just use "%global _fortify_cflags %nil" to skip "-Wp,-D_FORTIFY_SOURCE=2", if it's really wanted. Another thing is that mirrordir has been abandoned upstream for over 10 years: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555130
(In reply to Jani Välimaa from comment #5) > Another thing is that mirrordir has been abandoned upstream for over 10 > years: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555130 Actually make it over 20 years as the Debian bug was filed on 2009.
Jani is right. The fortify source option doesn't *cause* the buffer overflow, it just *detects* it and allows the program to safely exit rather than allow it to be silently able to be exploited (hypothetically at least). The compiler option should be left in place and the actual buffer overflow should be fixed. If we can't fix it ourselves (and can't find a fix anywhere else, like Ubuntu which also uses this compiler option generally), we should just close this as WONTFIX and drop the package in Cauldron.
Assignee: qa-bugs => pkg-bugsCC: (none) => qa-bugs
I found the cause of the buffer overflow. In my tests, with my patch and the fortify source option, the "mirrordir" command works.
Suggested advisory: ======================== The updated packages fix a buffer overflow that leads to a crash of "mirrordir" command. References: https://bugs.mageia.org/show_bug.cgi?id=25748 ======================== Updated packages in core/updates_testing: ======================== mirrordir-0.10.49-27.2.mga7 lib(64)diffie1-0.10.49-27.2.mga7 lib(64)diffie-devel-0.10.49-27.2.mga7 from SRPMS: mirrordir-0.10.49-27.2.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
Installed 64-bit mirrordir, then updated to version 0.10.49-27.2. All packages installed cleanly. Executed the reporter's command from Comment 0. No overflow occurred. OK for 64-bit. Validating. Advisory in Comment 9.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Advisory uploaded.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2019-0227.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED