I reviewed editorconfig-core 0.12.5-2ubuntu2 as checked into kinetic and an unpackaged version containing upstream commit 41281ea to patch CVE-2023-0341. This shouldn't be considered a full audit but rather a quick gauge of maintainability. > EditorConfig makes it easy to maintain the correct coding style when switching between different text editors and between different projects. The EditorConfig project maintains a file format and plugins for various text editors which allow this file format to be read and used by those editors. - CVE History: - CVE-2023-0341 - Bug History: - Some releases due to memory issues - https://github.com/editorconfig/editorconfig-core-c/releases - github issue #55 is security relevant - github issue #78 should be addressed - Build-Depends? - lunar main - cmake - debhelper-compat (debhelper) - libjs-jquery (node-jquery) - appears to only be for editorconfig-doc - libpcre2-dev (pcre2) - pkg-config - linux-vdso.so.1 (kernel) - libpcre2-8.so.0 (pcre2) - libc.so.6 (glibc) - ld-linux-x86-64.so.2 (glibc) - lunar universe - d-shlibs - doxygen - pkg-kde-tools - pre/post inst/rm scripts? - none - init scripts? - none - systemd units? - none - dbus services? - none - setuid binaries? - none - binaries in PATH? - ./usr/bin/editorconfig-0.12.5 - ./usr/bin/editorconfig -> editorconfig-0.12.5 - sudo fragments? - none - polkit files? - none - udev rules? - none - unit tests / autopkgtests? - lots of build tests - autopkgtests needed (!) - cron jobs? - none - Build logs: - trivial deprecated Doxygen warnings - trivial elf-error - Processes spawned? - open, see File IO section - Memory management? - looks good - see coverity - File IO? - fopen in ini.c reads config file - Appears safe - Opens, reads, and closes file in single function - Content containing wildcard patterns read by ec_glob later - editorconfig.c has functions to read files and directories - to find a config file, editorconfig attempts to read `.editorconfig` in all directories of the path it was called from, beginning in the root directory - e.g., attempt to read `/.editorconfig`, then `/foo/.editorconfig`, then `/foo/bar/.editorconfig` - the config file furthest up the PATH containing `root = true` is the "root" config file, and previous configs should be ignored - https://github.com/editorconfig/editorconfig-core-c/issues/55 demonstrates how to override root config files! - walking the path in this manner might be analgous to CVE-2022-24765 - Logging? - editorconfig.c's editorconfig_get_error_msg(int err_num) contains static (safe) error messages - several static messages in main.c - in main.c, when err_num > 0, fprintf with formatting characters - fprintf statements do not appear susceptible to format string attacks (CAPEC-135) - Environment variable usage? - none - Use of privileged functions? - none - Use of cryptography / random number sources etc? - none - Use of temp files? - none - Use of networking? - none - Use of WebKit? - none - Use of PolicyKit? - none - Any significant cppcheck results? - none - Any significant Coverity results? - false positive ec_glob.c:87 strcpy into fixed buffer - pattern cannot be greater than 8194 bytes - pattern represents a file and path name, which combined can be 4096 bytes maximum - false positive that nums variable goes out of scope in switch case statements of ec_glob function - nums eventually freed with utarray_free(nums) - Any significant shellcheck results? - ./mk-src-archive.sh looks worrying, but not included in binary package - Any significant bandit results? - none The EditorConfig project is quite popular and comes prepackaged with many IDEs. Code is commented exceptionally well. It would be nice in Ubuntu renamed this package to "editorconfig-core-c", as upstream maintains several packages with the prefix "editorconfig-core-". With fuzzed editorconfig-core-c config files I was able to cause editorconfig-core-c segmentation faults. David Fernandez Gonzalez (@litios) from the Security Team generated novel config files which cause segmentation faults, identified the stack buffer overflow causing the crash, developed a PoC which allows writing arbitrary data to the stack, created a patch, and disclosed a vulnerability report describing CVE-2023-0341 to upstream. EditorConfig was extremely responsive and patched editorconfig-core-c within 48 hours. Security Team ACK for promoting editorconfig-core to main. I would like to thank the Desktop Team for their patience and flexibility which enabled us to research editorconfig-core's security.