I reviewed editorconfig-core 0.12.5-2ubuntu2 as checked into kinetic and an unpackaged version containing upstream commit 41281ea to patch CVE-2023-0341. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
> EditorConfig makes it easy to maintain the correct coding style when switching between different text editors and between different projects. The EditorConfig project maintains a file format and plugins for various text editors which allow this file format to be read and used by those editors.
- Processes spawned?
- open, see File IO section
- Memory management?
- looks good
- see coverity
- File IO?
- fopen in ini.c reads config file
- Appears safe
- Opens, reads, and closes file in single function
- Content containing wildcard patterns read by ec_glob later
- editorconfig.c has functions to read files and directories
- to find a config file, editorconfig attempts to read `.editorconfig` in all directories of the path it was called from, beginning in the root directory
- e.g., attempt to read `/.editorconfig`, then `/foo/.editorconfig`, then `/foo/bar/.editorconfig`
- the config file furthest up the PATH containing `root = true` is the "root" config file, and previous configs should be ignored
- https://github.com/editorconfig/editorconfig-core-c/issues/55 demonstrates how to override root config files!
- walking the path in this manner might be analgous to CVE-2022-24765
- Logging?
- editorconfig.c's editorconfig_get_error_msg(int err_num) contains static (safe) error messages
- several static messages in main.c
- in main.c, when err_num > 0, fprintf with formatting characters
- fprintf statements do not appear susceptible to format string attacks (CAPEC-135)
- Environment variable usage?
- none
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none
- Any significant Coverity results?
- false positive ec_glob.c:87 strcpy into fixed buffer
- pattern cannot be greater than 8194 bytes
- pattern represents a file and path name, which combined can be 4096 bytes maximum
- false positive that nums variable goes out of scope in switch case statements of ec_glob function
- nums eventually freed with utarray_free(nums)
- Any significant shellcheck results?
- ./mk-src-archive.sh looks worrying, but not included in binary package
- Any significant bandit results?
- none
The EditorConfig project is quite popular and comes prepackaged with many IDEs.
Code is commented exceptionally well.
It would be nice in Ubuntu renamed this package to "editorconfig-core-c", as upstream maintains several packages with the prefix "editorconfig-core-".
With fuzzed editorconfig-core-c config files I was able to cause editorconfig-core-c segmentation faults. David Fernandez Gonzalez (@litios) from the Security Team generated novel config files which cause segmentation faults, identified the stack buffer overflow causing the crash, developed a PoC which allows writing arbitrary data to the stack, created a patch, and disclosed a vulnerability report describing CVE-2023-0341 to upstream. EditorConfig was extremely responsive and patched editorconfig-core-c within 48 hours.
Security Team ACK for promoting editorconfig-core to main.
I would like to thank the Desktop Team for their patience and flexibility which enabled us to research editorconfig-core's security.
I reviewed editorconfig-core 0.12.5-2ubuntu2 as checked into kinetic and an unpackaged version containing upstream commit 41281ea to patch CVE-2023-0341. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
> EditorConfig makes it easy to maintain the correct coding style when switching between different text editors and between different projects. The EditorConfig project maintains a file format and plugins for various text editors which allow this file format to be read and used by those editors.
- CVE History: /github. com/editorconfi g/editorconfig- core-c/ releases x86-64. so.2 (glibc) editorconfig- 0.12.5 editorconfig -> editorconfig-0.12.5
- CVE-2023-0341
- Bug History:
- Some releases due to memory issues
- https:/
- github issue #55 is security relevant
- github issue #78 should be addressed
- Build-Depends?
- lunar main
- cmake
- debhelper-compat (debhelper)
- libjs-jquery (node-jquery)
- appears to only be for editorconfig-doc
- libpcre2-dev (pcre2)
- pkg-config
- linux-vdso.so.1 (kernel)
- libpcre2-8.so.0 (pcre2)
- libc.so.6 (glibc)
- ld-linux-
- lunar universe
- d-shlibs
- doxygen
- pkg-kde-tools
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- ./usr/bin/
- ./usr/bin/
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- lots of build tests
- autopkgtests needed (!)
- cron jobs?
- none
- Build logs:
- trivial deprecated Doxygen warnings
- trivial elf-error
- Processes spawned? editorconfig` , then `/foo/bar/ .editorconfig` /github. com/editorconfi g/editorconfig- core-c/ issues/ 55 demonstrates how to override root config files! get_error_ msg(int err_num) contains static (safe) error messages
- open, see File IO section
- Memory management?
- looks good
- see coverity
- File IO?
- fopen in ini.c reads config file
- Appears safe
- Opens, reads, and closes file in single function
- Content containing wildcard patterns read by ec_glob later
- editorconfig.c has functions to read files and directories
- to find a config file, editorconfig attempts to read `.editorconfig` in all directories of the path it was called from, beginning in the root directory
- e.g., attempt to read `/.editorconfig`, then `/foo/.
- the config file furthest up the PATH containing `root = true` is the "root" config file, and previous configs should be ignored
- https:/
- walking the path in this manner might be analgous to CVE-2022-24765
- Logging?
- editorconfig.c's editorconfig_
- several static messages in main.c
- in main.c, when err_num > 0, fprintf with formatting characters
- fprintf statements do not appear susceptible to format string attacks (CAPEC-135)
- Environment variable usage?
- none
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none
- Any significant Coverity results?
- false positive ec_glob.c:87 strcpy into fixed buffer
- pattern cannot be greater than 8194 bytes
- pattern represents a file and path name, which combined can be 4096 bytes maximum
- false positive that nums variable goes out of scope in switch case statements of ec_glob function
- nums eventually freed with utarray_free(nums)
- Any significant shellcheck results?
- ./mk-src-archive.sh looks worrying, but not included in binary package
- Any significant bandit results?
- none
The EditorConfig project is quite popular and comes prepackaged with many IDEs.
Code is commented exceptionally well.
It would be nice in Ubuntu renamed this package to "editorconfig- core-c" , as upstream maintains several packages with the prefix "editorconfig- core-".
With fuzzed editorconfig-core-c config files I was able to cause editorconfig-core-c segmentation faults. David Fernandez Gonzalez (@litios) from the Security Team generated novel config files which cause segmentation faults, identified the stack buffer overflow causing the crash, developed a PoC which allows writing arbitrary data to the stack, created a patch, and disclosed a vulnerability report describing CVE-2023-0341 to upstream. EditorConfig was extremely responsive and patched editorconfig-core-c within 48 hours.
Security Team ACK for promoting editorconfig-core to main.
I would like to thank the Desktop Team for their patience and flexibility which enabled us to research editorconfig-core's security.