wget
Vulnerability Report
I cannot find the original author or source code that this import was based on. Given that, if I have found a vulnerability in this source code, is that something you would be interested in addressing? If so, is there a preferred channel I can use to report the issue?
Hello @WhatTheFuzz. :wave: The original authors where some persons at Mozilla (src.) from which I downloaded the tarball in order to secure the source code and prevent it from fading away.
I've just used this tool to convert easily a bunch of old fonts to WOFF for a small corporate project. I was at first not intending to add fixes/features to it, but am willing to help if you need something patched of course.
As I doubt any other piece of software is making use of that library, you can either report your findings here, otherwise, feel free to contact me via my email at [firstname]@[lastname].be. If needed the corresponding GPG key is available here: https://keybase.io/wget (the one ending with 1683.
Following up to our discussion in private by email.
The vulnerability is an out of bound read and Sean will report it to me via a private repo on GitLab.
This is also the opportunity to realize that this piece of software is actually available in Debian and downstream distributions like Ubuntu under the package name woff-tools. We therefore renamed this repo to that name.
https://packages.ubuntu.com/source/jammy/woff-tools
Since the 2009 version, Debian changed their git repo to salsa. Here is the new upstream link: https://salsa.debian.org/fonts-team/woff-tools/-/blob/master/debian/control ^That repo is still using the old disappeared repo from people.mozilla.org.
Also another question was raised: why is the release from upstream dating from 2009-10-03 and Debian tagged it as 2009-10-04. :thinking: