Stream: wg-secure-code

Topic: Unsafety in abandoned crate


Andreas Molzer (Aug 31 2019 at 02:01, on Zulip):

While doing my first crev reviews, I stumbled upon hostname and actually found a potential safety issue (details). However, the author has both abandoned the crate and is inactive while the crate has a staggering amount of reverse dependencies. Can someone review my analysis and maybe give some guidance on adding an advisory for the situation or how to fix it in the ecosystem?

Thom Chiovoloni (Aug 31 2019 at 02:40, on Zulip):

I responded in a comment, it's not clear that it actually is a safety issue in practice. It would be better for the code to fix though, it being unmaintained is unfortunate

Andreas Molzer (Aug 31 2019 at 02:46, on Zulip):

Would someone have an OS X machine to test this? Specifically, what is the behaviour of gethostname for a 255 byte hostname and namelen = 255.

Andreas Molzer (Aug 31 2019 at 02:46, on Zulip):

Does it return success? Does it truncate to add the null terminator (not per documentation)?

Tony Arcieri (Aug 31 2019 at 02:47, on Zulip):

@Andreas Molzer this might interest you https://github.com/RustSec/advisory-db/issues/134

Tony Arcieri (Aug 31 2019 at 02:47, on Zulip):

I'm working on a PR for informational advisories that can at least warn for unmaintained crates

Andreas Molzer (Aug 31 2019 at 02:49, on Zulip):

Thanks, should I comment on the crate in that issue list? Or is it already ready to accept a PR for it?

Thom Chiovoloni (Aug 31 2019 at 02:56, on Zulip):

@Andreas Molzer Tried, can't seem to make my hostname be 255 bytes long. It seems impossible, but maybe there's some way?

Tony Arcieri (Aug 31 2019 at 03:03, on Zulip):

@Andreas Molzer still working out a policy for that sort of thing, but I think it will ultimately be an informational advisory

Andreas Molzer (Aug 31 2019 at 03:11, on Zulip):

@Thom Chiovoloni The documentation certainly makes it sound that way, but it's also dated 2003? It would be nice if it were not an issue in practice but still better to be compliant just in case.

Thom Chiovoloni (Aug 31 2019 at 03:12, on Zulip):

I agree, but I also don't think a security advisory should be issued unless it's actually a vulnerability.

Andreas Molzer (Aug 31 2019 at 03:22, on Zulip):

What about Redox?
It seems to null-terminate it initially in uname: https://gitlab.redox-os.org/redox-os/relibc/blob/master/src/platform/redox/mod.rs#L840
But doesn't always null-terminate gethostname: https://gitlab.redox-os.org/redox-os/relibc/blob/master/src/header/unistd/mod.rs#L311

Just had a glimpse at the code though, could be wrong.

Andreas Molzer (Aug 31 2019 at 03:30, on Zulip):

I'm going to test it in a VM, that's going to take a while

Shnatsel (Aug 31 2019 at 16:08, on Zulip):

Turns out Redox is fine, as stated in the issue.

Thom Chiovoloni (Aug 31 2019 at 20:02, on Zulip):

It seems like we should try to get a fix in, but that it probably doesn't need a security advisory then.

Last update: Nov 11 2019 at 23:00UTC