****************************************************************************** ****************** TSCHK TOUCHSTONE PARSER BUG REPORT FORM ******************* ****************************************************************************** INSTRUCTIONS To report a bug in the TSCHK Touchstone Parser. Please fill out the top part of the following form and send the complete form to info@ibis.org. A list of reported bugs is maintained at http://ibis.org/bugs/tschk. ****************************************************************************** PARSER VERSION NUMBER: 2.0.1 PLATFORM (SPARC, HP700, PC, etc.): PC OS AND VERSION: Microsoft* Windows REPORTED BY: Michael Mirmak DATE: September 19, 2022 DESCRIPTION OF BUG: Three areas of the Touchstone parser source code require attention in terms of improving security. Some of the solutions presented below are debatable, as the proposed fixes may not be universal across multiple operating systems. 1) In several locations output printing structure that is potentially insecure due to buffer overflow risk. Ten occurrences were flagged by commercial scanning softare between lines 399 and 409 of tschk2.cc. There, the size of the "buffer" variable is not verified before it is written to. Mitigation requires an additional "if" statement or something similar to verify that target buffer is large enough to accommodate the additional text at the end of the lines (e.g., "degrees\n effective noise impedance: "). 2) Some commercial scanning software will flag use of "sprintf" instead of its allegedly more secure cousin "sprintf_s" in the tschk2.cc source file. Eight occurrences are between lines 329 and 408 of that file. Mitigation is simply to use the construction "sprintf_s" with its additional size argument. However, this may only be convenient under Microsoft Windows compilers, as the replacement function may not be widely available for Linux compilers. 3) Similarly, the use of "memset" in networkparams.cc, on line 289 is flagged as less desireable than "memset_s". However, mitigation is debatable for the same operating system-specific reasons as highlighted for "sprintf_s" above. No demonstration file is possible, as the issues are related to already- functional code. ****************************************************************************** ******************** BELOW FOR ADMINISTRATION AND TRACKING ******************* ****************************************************************************** BUG NUMBER: 6 SEVERITY: [FATAL, SEVERE, MODERATE, ANNOYING, ENHANCEMENT] MODERATE PRIORITY: [HIGH, MEDIUM, LOW] MEDIUM STATUS: [OPEN, CLOSED, WILL NOT FIX, NOT A BUG] CLOSED FIXED VERSION: 2.1.0 FIXED DATE: April 19, 2024 NOTES ON BUG FIX: Classified at the September 30, 2022 IBIS Open Forum Meeting. The final resolution may involve research and testing by the parser developer and consultation with several commerical vendors who have dealt with this probles. One issue is that a proposed solution that works with Windows compilation may not have directives that are compatible with Linux. Another issue is that some standards are emerging (but not final) that are related to the issues. This investigation and resolution is planned for a future release. ****************************************************************************** ******************************************************************************