tar/[REDACTED] env construction: strcpy on attacker-controlled value

36cc78d5-d978-44db-a661-caa65014ee00

In tar's bundled gnulib wordsplit implementation, [REDACTED] builds environment strings using strcpy into a heap buffer sized as namelen + strlen(value) + 2, but the buffer pointer arithmetic uses namelen++ before the copy, creating an off-by-one hazard if namelen/value length relationships ever desynchronize (e.g., unusual name lengths or internal assumptions). This is flagged by flawfinder as [REDACTED].

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

4 linked nodes

PERTAIN_TODomain

Security Auditing

CONTAINSProblem

In tar's bundled gnulib wordsplit implementation. Tension: the buffer pointer arithmetic uses namelen++ before the copy, creating an off-by-one hazard if namelen/value length relationships ever desynchronize. Outcome: This is flagged by flawfinder as [REDACTED].

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

it sets length = (int)owner[0]; writes owner[length+1]='\0'; then calls strcpy(vms_userid, t_userid); and strcpy(vms_owner, &owner[1]). — Inspected the __CRTL_VER < 70000000 block in src/vms.c. Tension: No bounds validation is performed before these copies/writes. Outcome: Found static destinations vms_userid[16], vms_owner[40].

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info