[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev (forw) Possible buffer overflows in Lynx?
From: |
T.E.Dickey |
Subject: |
Re: lynx-dev (forw) Possible buffer overflows in Lynx? |
Date: |
Mon, 28 Feb 100 21:06:50 -0500 (EST) |
> On Mon, 28 Feb 2000, Rob Partington wrote:
>
> >
> > I'm a bit behind wrt Lynx development, sorry if this has already been
> > dealt with. Is this as bad as he claims?
>
> Sure there are buffer overflows. Nobody has done a comprehensive audit.
agreed (but we keep picking away at it).
> If one needs to put a bogus http_proxy like http://AAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[add a couple thousand more] in
I thought we fixed the places reported in this - last summer.
> lynx.cfg in order to provoke them, I fail to see how that is a security
> problem. If you do that as the admin or user, you get what you deserve.
> If some intruder has write access to lynx.cfg, you are already screwed.
>
> Fixed lenght buffers are still used in various places, without checking
> always for overruns. One place is HTTP.c, with things like
> sprintf(line, "Host: %s%c%c", host, CR,LF);
ok (always more to find).
> As for "some overflows when viewing 'Information about current document'
> and so on" - I don't know what they are. LYShowInfo.c uses some fixed
> length buffers, but AFAICS they are used (in a way that could be exploited)
> only for local files, i.e., in dired mode. One would have to browse a local
> directory with impossibly long filenames to run into this.
>
> One thing though: LY_MAXPATH may be way too small for some systems.
> It is defined to 256 in HTUtils.h. Shouldn't this match the system's
> PATH_MAX (or MAXPATHLEN) (+ 1 ?) instead?
PATH_MAX is technically a minimum - the system declares that it can support
pathnames at least that long.
> Klaus
>
> > ------- Forwarded Message
> >
> > Date: Sun, 27 Feb 2000 16:30:03 +0100
> > From: Michal Zalewski <address@hidden>
> > To: address@hidden
> > Subject: lynx - someone is deaf and blind ;)
> >
> [...]
> > Similar problems are present for example when lynx is using proxy server
> > (often sysadm puts proxy server settings in global lynx.cfg) - even in
> > recent 2.8.3dev2x releases - http://AAA... or ftp://AAA... requests with
> > over 2 kb of junk after protocol indentifier (instead of valid hostname) -
> > 0x41414141 SEGV - old, good, exploitable overflow while preparing request
> > for proxy server. AND MORE FOLLOWS - for example some overflows when
> > viewing 'Information about current document' and so on, all related to
> > extremely long URLs.
> [...]
>
--
Thomas E. Dickey
address@hidden
http://www.clark.net/pub/dickey