[Debian-med-packaging] Bug#993019: perm -- Buffer overflows

[Nilesh Patra]

Package: perm
Version: 0.4.0-5
Severity: normal
X-Debbugs-Cc: nilesh at debian.org, utkarsh at debian.org

Hi,

This bug report is being done as a reference point for perm to be
processed with the corresponding CVE (also as a reference point for
Mitre)

This bug was actually discovered very publically on a mailing list
itself[1] and here is the unblock bug[2]

So, automated tests (autopkgtests) were added to perm, to run on a
test data that can be found here[3]. On propagarting a hardening flag,
particularly -D_FORTIFY_SOURCE=2 this started to give buffer overflow
errors, as can be seen here[4]

I did a patch[5], and uploaded the fixed version 0.4.0-7 which fixes the
issue at hand[6].

Now, when I tried contacting upstream, I realised that upstream sources
are not present anywhere, and probably that was the case since several
years, as is also apparent from the copyright file[7]

I did see a email address there (Yangho Chen et al. <yanghoch at usc.edu>), and I sent in an email there asking for
it and also reporting the security issue, but by far there has been no
response for several days and I think it is safe to assume that the
upstream development for this software is dead.

Overall, this software was in fact vulnerable, and the vulnerability can
be tested with running:

$ perm Ref.fasta Reads.fasta -v 100 -A -o out.sam

as given in test test data linked below, and the corresponding CI

[1]: https://lists.debian.org/debian-med/2021/08/msg00016.html
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991841
[3]: https://salsa.debian.org/med-team/perm/-/tree/master/debian/tests/data
[4]: https://salsa.debian.org/med-team/perm/-/jobs/1788156
[5]: https://salsa.debian.org/med-team/perm/-/blob/master/debian/patches/fix-buffer-overflow.patch
[6]: https://salsa.debian.org/med-team/perm/-/jobs/1789569
[7]: https://salsa.debian.org/med-team/perm/-/blob/master/debian/copyright#L3

Nilesh