CVE-2024-55577: 
Linux Debian vulnerability analysis and mitigation

Stack-based buffer overflow vulnerability exists in Linux Ratfor 1.06 and earlier. When the software processes a file which is specially crafted by an attacker, arbitrary code may be executed. The vulnerability was discovered and reported by Yuhei Kawakoya of NTT Social Informatics Laboratories / NTT Security Holdings Corporation (JVNVU92217718).

The vulnerability is classified as a stack-based buffer overflow (CWE-121). The issue occurs when processing include directives, specifically in the gettok() and gtok() functions where buffer boundaries are not properly checked when handling include file names and terminating tokens (Ratfor Changelog). The vulnerability has been assigned a CVSS v3.0 base score of 7.0 HIGH with vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (JVNVU92217718).

If successfully exploited, an attacker may obtain or alter information of the user environment or cause the user environment to become unusable. The vulnerability requires user interaction, specifically processing a crafted ratfor source code file with the affected product (JVNVU92217718).

The vulnerability has been fixed in Linux Ratfor version 1.07, released on January 13, 2025. The new version implements stronger buffer overflow prevention mechanisms when processing include directives and reduces the documented maximum quoted-string include filename length to 60 characters. Users are advised to update to the latest version (Ratfor Changelog).