[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] CAN-2005-3120

From: Thomas Dickey
Subject: Re: [Lynx-dev] CAN-2005-3120
Date: Thu, 1 Jun 2006 09:41:53 -0400 (EDT)

On Thu, 1 Jun 2006, Atsuhito Kohda wrote:

Hi all,

I got an email from Debian security team today;

unsurprising.  Debian security team needs some review.

 it seems that CAN-2005-3120 is not fixed in the current version
 of lynx-cur in testing/unstable.  I'm attaching the patch from

Ulf sent me mail last year with a simple patch (which may be what you're
showing). It replaced one bug with another. I made a better patch which is in lynx. Debian security team ignored that (unlink the other packagers) and put in Ulf's original bug-to-bug patch. I pointed that out, and was ignored.

Here's the changelog entry which is pertinent:

* eliminate fixed-size buffers in HTrjis() and related functions to avoid
  potential buffer overflow in nntp pages (report by Ulf Harnhammar,
  CAN-2005-3120) -TD

   Ulf H?rnhammar discovered a buffer overflow that can be remotely
   exploited. During the handling of Asian characters when connecting
   to an NNTP server lynx can be tricked to write past the boundary
   of a buffer which can lead to the execution of arbitrary code.

with an patch

--- WWW/Library/Implementation/HTMIME.c.old     2004-01-08 03:03:09.000000000 
+++ WWW/Library/Implementation/HTMIME.c 2005-09-25 17:25:02.499592560 +0200
@@ -2230,7 +2230,7 @@ PUBLIC int HTrjis ARGS2(
            strcpy(t, s);
        return 1;
-    for (p = buf; *s; ) {
+    for (p = buf; *s && p < buf + LINE_LENGTH - 8; ) {
        if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
            if (HTmaybekanji((int)s[2], (int)s[3])) {
                kanji = 1;
@@ -2253,7 +2253,7 @@ PUBLIC int HTrjis ARGS2(
        *p++ = *s++;
-    *p = *s;   /* terminate string */
+    *p = '\0'; /* terminate string */

    strcpy(t, buf);
    return 0;

This is not cleanly applied (one need to modify manually)
and a bit insufficient because LINE_LENGTH is not defined
in HTMIME.c of 2.8.6dev.17

I'd like to know the real fix of the problem.

Regards,                      2006-6-1(Thu)

Debian Developer & Debian JP Developer - much more I18N of Debian
Atsuhito Kohda <kohda AT>
Department of Math., Univ. of Tokushima

Lynx-dev mailing list

Thomas E. Dickey

reply via email to

[Prev in Thread] Current Thread [Next in Thread]