New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability report #55
Comments
Generally, it's a good idea to point to the problems in the project. However, your "recommendations" ruined almost everything. Where is your patch? It's not fair to spoil this project this ugly way. You'd better to keep private what should be private. |
I'd rather this project be euthanized than patched. The project is dead, looking for a new maintainer, and entirely unsafe in its implementation. If I were to send any PR, it'd be to add this warning to the README. As mentioned in the OP, this was handled privately, via encrypted email, and remained unaddressed for three weeks before I posted this publicly. Now, at least, people can know what they're getting into and the new maintainer has a list of items to tackle first. Seriously though, my recommendation stands. People should stop using fiche on their public servers until it's been entirely reworked into something safer. To prevent issues like this in other projects, C is clearly not the ideal tool for the job. |
Hello @jeaye. Thank you for your work and sorry for the delayed response. You inspired me to rewrite the whole program and I thought I'll respond right after doing that. Unfortunatelly, as it often happens, I had to abandon project for a while. I've finally found some time this weekend and I completed basic functionality. Let me address your concerns. I of course agree with all you said, fiche had some serious problems. I wrote it as my first serious C project, never actively maintained it, and accepted too many page requests without giving them a proper consideration. I committed many sins and I plead guilty! And what's even worse, even I never trusted it and kept it in fully-separated environment on my server (btw, that's still recommended and we have to redone support for containers!). But now I'm here to change myself! So, if that's not a problem, please take a look at the new code, and help me to correct it! Sorry for not listening to your advice regarding not-using C. Last thing, regarding issue #54, I opened it independly, right before your email. You sent me a message that I was able to decipher on 14.07 and discussed issue was created on 13.07. Its creation wasn't caused by your notice, once again sorry for the lack of response. Below you can see my report created with the new version: scan-build
Empty output (no errors detected):
cppcheck
Nothing to worry about here (information message is caused by cppcheck's lack support for dealing with standard headers):
valgrindDiff:
Output:
Testing sequence used:
|
Thanks for the detailed response, @solusipse. I'm really glad you've taken the time to rework fiche into something safer. Are you open to setting up TravisCI, which you're already using for builds, to run this static and dynamic analysis continuously? This would allow Github to automatically test each PR made by others and each push made by you to ensure it doesn't reintroduce these sorts of issues. Since you've closed #54, are we to assume that you're going to actively maintain fiche for the time being? Furthermore, is the rewrite to be considered stable? Regarding the choice for C and working together to help the source be safer: the time that it would take all of us to have reasonable confidence in the safety of the code, and empirical tests to help substantiate it, fiche could be written in Python or Ruby or Clojure multiple times over. The simple fact that you need to worry about unchecked mallocs, undefined behavior with unchecked return values (returns Hopefully you can see how scary it should be for anyone to run services like this on a public-facing machine. |
@jeaye Thanks!
Great idea! I did that for static analysis, going to write tests and integrate in also the dynamic analysis.
That is correct.
Well, you're probably right. I'd love to see clones of fiche written in these languages! As for C, I believe that while it is still around (maybe that's unfortunate?) we should have an opportunity to write also new software with that language. Moreover, with your great help we are going to eliminate all potential issues soon and we won't have to worry so much. Speaking of which:
Fixed!
Fixed! Thank you! As for
I don't see why this should be considered a problem when tested properly. Sure, these are places where something can go wrong easily, but fortunately we don't have many of them, so we're able to check them carefully. As for uninitialised variable you've highlighted, once again I don't see why it's a security problem. As you can see, the first operation on that variable is allocation performed here. Sure, it might be considered a bad style, but that's rather subjective. Please let me know if I'm correct regarding these two. As for
isn't that platform/language/implementation dependant? As for
Sure! But still, there are things that scare me more! Maybe I'm insane, but I'm willing to take the risk. As for others, we can add huge warning in our Readme saying something about possible terrible implications of using that software. Not kidding, I'm willing to do that if you think that's the right thing! I was also thinking about recommending a clone written in Rust - hope you'll find information soothing! 😘 |
Thanks, @solusipse, for fixing up those further issues. I think we see things very differently and I don't want to take up any more of your time, so I'll close this ticket. The rewrite, continuous analysis, and revitalized development is great to see. Cheers. |
Hey there, I'm actively interested in inspecting open source C projects for vulnerabilities and bugs. Unfortunately, fiche has some issues. I reported this privately to you three weeks ago; since then, you have opened #54 asking for a new maintainer.
Anyone looking to install fiche on a public server should beware.
Summary
malloc
callsfopen
callStatic analysis
Diff applied to Makefile
Clang's static analysis
Cppcheck's analysis
Dynamic analysis
Diff applied to Makefile
Clang's address sanitizer
This targets a case where the output dir (basedir) is not writeable, or doesn't exist. In that case, this loop will run indefinitely, smashing the stack with each iteration's new random byte. If you limit this loop to be within the slug's size, you'll crash on the unchecked
fopen
insave_to_file
.Recommendation
I highly recommend that you don't write new software (especially web services) in C and there are various areas of fiche's code which are just waiting for a subtle change to allow a buffer overflow exploit, which could result in remote code execution. You have a ticket open for porting fiche to Rust and I think that's a superb idea.
In the meantime, please consider addressing these issues, adding those warning flags to your build, and running both static and dynamic analysis as part of your continuous integration.
The text was updated successfully, but these errors were encountered: