New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL Pointer Dereference vulneribility in igraph_i_strdiff function #1141
Comments
|
The input is not valid XML, although it probably shouldn't crash igraph anyway. I'll take a look at this. |
|
I've applied this patch to the Debian package. Recently I was asking for a new release (issue #1107 ). I really think you should do a release containing fixes for CVEs. Otherwise you risk that user who rely on releases are running insecure software. Thank you, Andreas. |
|
I am absolutely not arguing against a release, just wanted to note that the importance of such security issues is way overblown. igraph is research software. It's not used on webservers or other security-critical applications. Bugs like this will make little practical difference. The priority should be on producing correct results for reasonable inputs, so users can have confidence in their analysis results. Segfaults with bad inputs won't lead to flawed research papers. Incorrect result bugs will. If I were to cherry pick fixes, I would focus on such bugs, not security. |
|
On Tue, Dec 25, 2018 at 01:20:06AM -0800, Szabolcs Horvát wrote:
I am absolutely not arguing against a release, just wanted to note that the importance of such security issues is *way* overblown. igraph is research software. It's not used on webservers or other security-critical applications. Bugs like this will make little practical difference.
The priority should be on producing correct results for _reasonable_ inputs, so users can have confidence in their analysis results. Segfaults with bad inputs won't lead to flawed research papers. Incorrect result bugs will. If I were to cherry pick fixes, I would focus on such bugs, not security.
As a scientist I perfectly understand your arguing. As a Debian developer I have the counter argument: You never know how your software is used and who might have the idea in providing a scientific application on a web server. Andreas.
|
Test Version
dev version, git clone https://github.com/igraph/igraph
Test Program
modify graphml.c in examples/simple directory
and
gcc graphml.c -ligraph -o graphmlgraphml [infile]Gdb and Backtrace
POC file
igraph_trie-igraph_i_strdiff-112.zip
CREDIT
Zhao Liang, Huawei Weiran Labs
The text was updated successfully, but these errors were encountered: