virustotal / c-vtapi Goto Github PK

Hello,

The c-vtapi was included in Debian on 2022-02-14 and recently failed during build due to some functions involving curl.

In the files lib/VtUrl.c, lib/VtComments.c and lib/VtFile.c I found the function curl_formadd, could you replace it with curl_mime_init()?

There are other errors that can be seen at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027611

Thanks for your work with c-vtapi!

Line 19 in the README has the "jansson-devel" package misspelled. Just noting in case someone if copy and pasting the commands from README.

If I click on the green "Clone or download" button I got via the appearing "Download ZIP" link the option to download the file master.zip. But that archive seems to have a problem since the member file README.md seems to be a symlink to its "own contents" (extract of the contents listing):

        5 2018-06-30 21:41 c-vtapi-master/NEWS
     1873 2018-06-30 21:41 c-vtapi-master/README
        0 2018-06-30 21:41 c-vtapi-master/README.md -> [![Build Status](https://travis-ci.org/VirusTotal/c-vtapi.svg?branch=travis)](https://travis-ci.org/VirusTotal/c-vtapi)\n\nVirusTotal C API library\nThis libary is designed ...
     5166 2018-06-30 21:41 c-vtapi-master/aminclude.am

Also if I download instead https://github.com/VirusTotal/c-vtapi/archive/master.tar.gz I see on my Linux system the same problem.

These functions are vulnerable to buffer overflow caused by the unchecked supplied arguments length.

int VtDomain_report(struct VtDomain *vt_domain, const char *ip_addr_str) {

  CURL *curl;
  CURLcode res;
  int ret = 0;
  char get_url[512];  <-- fixed buffer size
  int len = 0;


  VtApiPage_resetBuffer((struct VtApiPage *) vt_domain);
  curl = curl_easy_init();
  if (!curl) {
    VT_ERROR("init curl\n");
    goto cleanup;
  }

  DBG(1, "Api Key =  '%s'\n", vt_domain->api_key);

  if (ret)
    VT_ERROR("Adding key\n");

  len = sprintf(get_url, VT_API_BASE_URL "domain/report?apikey=%s&domain=%s",
                vt_domain->api_key, ip_addr_str); <-- unchecked ip_addr_str length
  if (len < 0) {
    VT_ERROR("sprintf\n");
    goto cleanup;
  }

int VtFileDist_getDistribution(struct VtFileDist *vt_udist) {

  CURL *curl;
  CURLcode res;
  int ret = 0;
  char get_url[512]; <-- fixed buffer size
  int len = 0;
  long http_response_code = 0;


  VtApiPage_resetBuffer((struct VtApiPage *) vt_udist);
  curl = curl_easy_init();
  if (!curl) {
    VT_ERROR("init curl\n");
    goto cleanup;
  }

  DBG(1, "Api Key =  '%s'\n", vt_udist->api_key);

  if (ret)
    VT_ERROR("Adding key\n");

  len = sprintf(get_url, VT_API_BASE_URL "file/distribution?apikey=%s", vt_udist->api_key); <-- api_key length unchecked
  if (len < 0) {
    VT_ERROR("sprintf\n");
    goto cleanup;
  }

I just tried cloning this onto a machine running Redhat 7.5 and it threw an error saying it couldn't create the file README.md because it was symlinking to a file with a path that was too long.

Digging into the error a bit I found that the problematic thing was that the file system thought that README.md was a symlink and the contents (on linux at least) should just be the path of the destination (for soft symlinks) so it tried to do this:

README.md  -> [![Build Status](https://travis-ci.org/VirusTotal/c-vtapi.svg?branch=travis)](https://travis-ci.org/VirusTotal/c-vtapi)^J^JVirusTotal C API library^JThis libary is designed to work with both the:^I^J  * The public API https://www.virustotal.com/en/documentation/public-api/^J  * The private API https://www.virustotal.com/en/documentation/private-api/^J^JRuntime Dependencies^J  * curl or libcurl  (curl-devel package on some distributions)^J  * janson version 2.2 (min) (2.5 or newer recommeded.  janson-devel on some distros)^J^JCompiling Dependencies^J  * automake, autoconf  (might be autotools package on your platform)^J  * gcc^J  * libtool^J^JDebian or Ubuntu Dependencies:^J```^Jsudo apt-get install automake autoconf libtool libjansson-dev libcurl4-openssl-dev^J```^J^JRedhat, Fedora, Centos or RPM based distros:^J```^Jyum install libtool jansson-devel^J```^J^JTo compile on Linux, BSD, or Mac OS X:^J```^Jautoreconf -fi^J./configure^Jmake^Jsudo make install^J```^J^JIf you wish to build the examples in the 'examples' directory:^J```^Jautoreconf -fi^J./configure --enable-examples^Jmake^Jsudo make install^J```^J^JIf you have doxygen installed on your system you may optionally generate developer doxygen docs:^J ```^Jmake doxygen-doc^J```^J^JUsage on MS Windows is partially functioal now, but requires more patches to be fully supported.^J^JWindows compilation:^J```^J* Installl mingw^J  *  mingw32 gcc-g++^J  *  mingw32-autoconf^J  *  mingw32-automake^J* compile libcurl  (See their docs on windows compile)^J```^J^JWindows compilation (MS Visual Studio)^J * install MS Visual Studio 2013^J * install CMake^J * Compile jansson  (see janson docs)^J * Compile curl  (see janson docs)^J^I^J^JSee Examples in examples/^JFor some example test programs using API.^J^Jurl --apikey=YOUR_KEY --scan http://youtube.com^Jurl --apikey=YOUR_KEY --report http://youtube.com^J^J^Jscan --help^J./scan --apikey YOUR_KEY --filescan /bin/ls^J./scan --apikey YOUR_KEY --report HASH^J

which obviously doesn't work all that well. Doing a git diff (once you get past the strange symlinky stuff) interprets it weirdly as well and shows a symlink to /dev/null.

Not sure if this is an OS compatibility thing but it definitely had be confused for a few minutes.

Hello Karl (if I may?),
I am currently working with another person on a small virustotal upload client written in C. And we have some trouble with the includes of the lib.

I installed the libcvtapi in /usr/lib/ the header files are in /usr/include..

the include of the files works fine but we have some unknown reference errors due to wrong compiling/wrong lib location dont know:

Here an example:
main.c:(.text+0x130): undefined reference to VtFile_new'`

so our conclusion is that there must be something wrong with our libcvtapi. Maybe one reason is your prefered way to compile the lib just locally and use it locally instead of globally.

some idea how to fix this issue?

greetings,

Chris

I followed the installation instruction in the README for Ubuntu 18.04. Invoking autoreconf -fi causes the following error:

libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize:   error: AC_CONFIG_MACRO_DIRS([m4]) conflicts with ACLOCAL_AMFLAGS=-. m4
autoreconf: libtoolize failed with exit status: 1

When I compile this code on windows,I found a spell error on VtObject.h line 56,it should be "INFINITE".

The current master branch no longer builds on Ubuntu 20.04 (or derivatives, such as Zorin OS or elementaryOS) due to AC_PREREQ([2.71]) in configure.ac as of f1cd763.

Ubuntu 20.04 ("Focal Fossa") only has Autoconf 2.69.

$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Zorin
Description:    Zorin OS 16.3
Release:        16
Codename:       focal

$ dpkg -l | grep autoconf
ii  autoconf      2.69-11.1      all      automatic configure script builder

When you attempt to run autoreconf -fi as instructed, the output will look something like this:

$ autoreconf -fi                                                                     
configure.ac:2: error: Autoconf version 2.71 or higher is required
configure.ac:2: the top level
autom4te: /usr/bin/m4 failed with exit status: 63
aclocal: error: echo failed with exit status: 63
autoreconf: aclocal failed with exit status: 63

Since Ubuntu 20.04 loses support in April 2024 (I think, going from memory here), probably the developers aren't going to want to do anything about this. I'll be closing the issue right after opening it, just so the workaround is recorded here for posterity.

Here's the workaround:

# check out the last version of `configure.ac` that _didn't_ require 2.71
git checkout -b ac-261 0bd1a07

# create a symlink from `README.md` to `README` to avoid the error
# `Makefile.am: error: required file './README' not found`
ln -s README.md README

# per the README
autoreconf -fi

From there, continue with the instructions in README.md