Security vulnerabilities and automated fixes for semgrep issues
7 posts found
A high-severity buffer overflow vulnerability was discovered in `src/calculations.c` at line 37, where a two-step `strncpy` + manual null-termination pattern left the door open for subtle memory safety bugs when copying string data into the `entry->type` field. The fix replaces both lines with a single `snprintf` call that handles bounds and null-termination atomically, eliminating the risk entirely. This is a common C pitfall that affects production CLI tools and can be exploited when attacker-
A missing `cooldown` block in `.github/dependabot.yml` meant that newly published packages — which could be malicious or unstable — were eligible for immediate update proposals. By adding a `cooldown` block with `default-days: 7` to both the GitHub Actions and Cargo package ecosystems, the project now enforces a 7-day waiting period before Dependabot proposes any update to a freshly released package version. This change significantly reduces the risk of dependency confusion attacks and supply ch
A high-severity buffer overflow vulnerability was discovered in `src/GL/arbgenerator.c` where `sprintf()` was used without size bounds checking on an 11-byte buffer. The fix replaces unsafe `sprintf()` calls with `snprintf()`, enforcing strict buffer boundaries and preventing potential heap corruption or code execution attacks.
A critical buffer overflow vulnerability was discovered and patched in `gimbal_md5.c`, where unsafe C string functions were used without size bounds checking. Left unpatched, this flaw could allow attackers to corrupt memory, crash processes, or execute arbitrary code. The fix replaces unbounded functions with their size-aware counterparts, enforcing a strict invariant: buffer reads must never exceed the declared length.
A critical buffer overflow vulnerability was discovered and fixed in `src/display.cpp`, where unsafe C string functions were used without bounds checking. This type of vulnerability can allow attackers to corrupt memory, crash applications, or execute arbitrary code. The fix replaces unbounded functions with size-aware alternatives like `strlcpy` and `snprintf`, eliminating the overflow risk.
A high-severity integer overflow vulnerability was discovered and fixed in `src/coredump/_UCD_create.c`, where arithmetic multiplication used to compute a memory allocation size lacked overflow protection. If the multiplication wrapped around, an undersized buffer would be allocated, opening the door to a heap overflow attack. This fix closes a subtle but dangerous code path that could lead to memory corruption and potential code execution.
A high-severity shell injection vulnerability was discovered and fixed in a GitHub Actions workflow file, where direct use of `${{ github.* }}` context variables in `run:` steps could allow attackers to execute arbitrary code on CI/CD runners. This post explains how the attack works, what the fix looks like, and how you can audit your own workflows to prevent secrets theft and code compromise. Understanding this class of vulnerability is essential for any team using GitHub Actions in production.