Potential security concern in rm_digest_hexstring function

[ret2ldz]

Hi, I’d like to bring to your attention a potential security concern I noticed related to the rm_digest_steal function.

From my understanding, this function is called by rm_tm_extract, where the buffer length is 0x200. It seems that the parameter controlling the write to this buffer might be controllable, which could pose a security risk.

However, I want to emphasize that I haven’t verified this issue myself, and my confidence level in this observation is about 50%. Please consider reviewing this when you have time. I’m happy to provide more details or collaborate if needed. Thank you for your hard work on this project!

[ret2ldz]

Sorry, I think I said it wrong, it should be the rm_digest_hexstring function

[vassilit]

ret2ldz好,

Thank you for your research. It seems that rm_digest_hexstring is called with a fixed-sized buffer only when a specific compile-time debugging option is enabled, meaning that distribution-provided binaries of rmlint are not affected.

Do you think of any way an end user could manipulate the parameter that controls the write size (that is d->digest->bytes) in that case?