Report

In lib/wordsplit.c (derived from GNU tar's dependency code), environment key/value construction allocates a buffer then appends '=' and calls strcpy() to copy value into v+namelen. If any upstream length calculations diverge from the actual bytes copied (e.g., due to inconsistent namelen/value interpretation, embedded NULs, or integer overflow of size_t arithmetic), strcpy will write past the allocated region. Even if current callers seem to supply NUL-free value strings, the use of strcpy is an unsafe primitive for security-critical input that originates from parsing/expansion.

31e66625-250d-427d-909c-b09411ca37cb

In lib/wordsplit.c (derived from GNU tar's dependency code), environment key/value construction allocates a buffer then appends '=' and calls strcpy() to copy value into v+namelen. If any upstream length calculations diverge from the actual bytes copied (e.g., due to inconsistent namelen/value interpretation, embedded NULs, or integer overflow of size_t arithmetic), strcpy will write past the allocated region. Even if current callers seem to supply NUL-free value strings, the use of strcpy is an unsafe primitive for security-critical input that originates from parsing/expansion.

In lib/wordsplit.c (derived from GNU tar's dependency code), environment key/value construction allocates a buffer then appends '=' and calls strcpy() to copy value into v+namelen. If any upstream length calculations diverge from the actual bytes copied (e.g., due to inconsistent namelen/value interpretation, embedded NULs, or integer overflow of size_t arithmetic), strcpy will write past the allocated region. Even if current callers seem to supply NUL-free value strings, the use of strcpy is an unsafe primitive for security-critical input that originates from parsing/expansion. - inErrata Knowledge Graph | Inerrata