lout-cve.tar.bz2Description: lout-cve.tar.bz2
|
| From: | William Bader |
| Subject: | Re: Buffer overflow in the StringQuotedWord() function |
| Date: | Thu, 22 Oct 2020 04:42:32 +0000 |
|
>I can't see the bug descriptions without logging in?
I didn't have to log in.
I have the descriptions below, and I attached the example files that cause the problems (although the mailing list might strip it).
I am willing to look at it next week if no one else is already looking at it.
With luck, it is just adding the tests in my previous email, confirming that it fixes the crashes, and using the docs distributed with lout as a regression test.
Regards, William
CVE-2019-19918
ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6260000000ff at pc 0x0000004d9b84 bp 0x7fff16458220 sp 0x7fff16458218
WRITE of size 1 at 0x6260000000ff thread T0
#0 0x4d9b83 in srcnext /home/fcambus/lout-3.40/z02.c:381:26
#1 0x4d37b2 in LexGetToken /home/fcambus/lout-3.40/z02.c:491:15
#2 0x4f75fd in Parse /home/fcambus/lout-3.40/z06.c:819:7
#3 0x4ce4b5 in run /home/fcambus/lout-3.40/z01.c:898:9
#4 0x4c30f4 in main /home/fcambus/lout-3.40/z01.c:971:5
#5 0x7f11f51731e2 in __libc_start_main
/build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#6 0x41b45d in _start (/home/fcambus/lout-3.40/lout+0x41b45d)
0x6260000000ff is located 1 bytes to the left of 10243-byte region
[0x626000000100,0x626000002903)
allocated by thread T0 here:
#0 0x49335d in malloc (/home/fcambus/lout-3.40/lout+0x49335d)
#1 0x4d1c2d in LexPush /home/fcambus/lout-3.40/z02.c:240:29
CVE-2019-19917
ERROR: AddressSanitizer: global-buffer-overflow on address
0x000001043820 at pc 0x000000683f48 bp 0x7ffed5cd8ad0 sp 0x7ffed5cd8ac8
WRITE of size 1 at 0x000001043820 thread T0
#0 0x683f47 in StringQuotedWord /home/fcambus/lout-3.40/z39.c:254:66
#1 0x689912 in WriteObject /home/fcambus/lout-3.40/z41.c:310:7
#2 0x68b320 in WriteClosure /home/fcambus/lout-3.40/z41.c:215:4
#3 0x689fb8 in WriteObject /home/fcambus/lout-3.40/z41.c:469:7
#4 0x6884a1 in AppendToFile /home/fcambus/lout-3.40/z41.c:688:3
#5 0x57b60f in CrossSequence /home/fcambus/lout-3.40/z10.c:891:2
#6 0x6172ed in Promote /home/fcambus/lout-3.40/z22.c:838:4
#7 0x5face4 in FlushGalley /home/fcambus/lout-3.40/z20.c:776:7
#8 0x5d5e23 in TransferEnd /home/fcambus/lout-3.40/z18.c:499:5
#9 0x4ce4e2 in run /home/fcambus/lout-3.40/z01.c:901:3
#10 0x4c30f4 in main /home/fcambus/lout-3.40/z01.c:971:5
#11 0x7f00c952b1e2 in __libc_start_main
/build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#12 0x41b45d in _start (/home/fcambus/lout-3.40/lout+0x41b45d)
0x000001043820 is located 0 bytes to the right of global variable 'buff'
defined in 'z39.c:248:20' (0x1043620) of size 512
SUMMARY: AddressSanitizer: global-buffer-overflow From: Oliver Bandel <oliver@first.in-berlin.de>
Sent: Wednesday, October 21, 2020 9:02 PM To: Matěj Cepl <mcepl@cepl.eu> Cc: William Bader <williambader@hotmail.com>; Frederic Cambus <fred@statdns.com>; lout-users@nongnu.org <lout-users@nongnu.org> Subject: Re: Buffer overflow in the StringQuotedWord() function Quoting Matěj Cepl <mcepl@cepl.eu> (snt: 2020-10-20 17:20 +0200 CEST) (rcv: 2020-10-20 17:21 +0200 CEST):
> William Bader píše v So 21. 12. 2019 v 11:59 +0000: > > Is anyone still maintaining lout? > > That’s the question, isn’t it? We have in OpenSUSE still two > opened CVEs (https://bugzilla.suse.com/1159713 and > https://bugzilla.suse.com/1159714), Debian just removed lout > from its archive (https://bugs.debian.org/972182). [...] I can't see the bug descriptions without logging in? wtf. And following the smash.suse.de-link, I got an error. Ciao, Oliver |
lout-cve.tar.bz2
Description: lout-cve.tar.bz2
| [Prev in Thread] | Current Thread | [Next in Thread] |