Remediated code only copies 50 bytes to a 50-byte stack buffer.
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/281/726/726/955/956/original/558c2016324e412f.png
https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/281/726/726/955/956/original/558c2016324e412f.png
Notices where this attachment appears
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Saturday, 12-Apr-2025 01:16:44 JST 
Will Dormann
If I look closer at the difference between the vulnerable version and the "remediated" version, it's now clear where the fix is.
In the vulnerable code, the attacker-provided length of data is strlcopy'd into a 50-byte array. And badness ensues.
In the "remediated" version, the strlcopy only copies 50 bytes, as the target variable is 50 bytes.
So I'd consider this an actual fix. But presumably Ivanti didn't realize that a stack buffer overflow could have a security impact? And thus the lack of CVE when it was fixed, or the attempt to also fix their Ivanti Policy Secure and ZTA Gateways products? 🤷♂️
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.