[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] CAN-2005-3120
From: |
Thomas Dickey |
Subject: |
Re: [Lynx-dev] CAN-2005-3120 |
Date: |
Thu, 1 Jun 2006 09:41:53 -0400 (EDT) |
On Thu, 1 Jun 2006, Atsuhito Kohda wrote:
Hi all,
I got an email from Debian security team today;
unsurprising. Debian security team needs some review.
it seems that CAN-2005-3120 is not fixed in the current version
of lynx-cur in testing/unstable. I'm attaching the patch from
Ulf.
Ulf sent me mail last year with a simple patch (which may be what you're
showing). It replaced one bug with another. I made a better patch which
is in lynx. Debian security team ignored that (unlink the other
packagers) and put in Ulf's original bug-to-bug patch. I pointed that
out, and was ignored.
Here's the changelog entry which is pertinent:
* eliminate fixed-size buffers in HTrjis() and related functions to avoid
potential buffer overflow in nntp pages (report by Ulf Harnhammar,
CAN-2005-3120) -TD
Ulf H?rnhammar discovered a buffer overflow that can be remotely
exploited. During the handling of Asian characters when connecting
to an NNTP server lynx can be tricked to write past the boundary
of a buffer which can lead to the execution of arbitrary code.
with an patch
--- WWW/Library/Implementation/HTMIME.c.old 2004-01-08 03:03:09.000000000
+0100
+++ WWW/Library/Implementation/HTMIME.c 2005-09-25 17:25:02.499592560 +0200
@@ -2230,7 +2230,7 @@ PUBLIC int HTrjis ARGS2(
strcpy(t, s);
return 1;
}
- for (p = buf; *s; ) {
+ for (p = buf; *s && p < buf + LINE_LENGTH - 8; ) {
if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
if (HTmaybekanji((int)s[2], (int)s[3])) {
kanji = 1;
@@ -2253,7 +2253,7 @@ PUBLIC int HTrjis ARGS2(
}
*p++ = *s++;
}
- *p = *s; /* terminate string */
+ *p = '\0'; /* terminate string */
strcpy(t, buf);
return 0;
This is not cleanly applied (one need to modify manually)
and a bit insufficient because LINE_LENGTH is not defined
in HTMIME.c of 2.8.6dev.17
I'd like to know the real fix of the problem.
Regards, 2006-6-1(Thu)
--
Debian Developer & Debian JP Developer - much more I18N of Debian
Atsuhito Kohda <kohda AT debian.org>
Department of Math., Univ. of Tokushima
_______________________________________________
Lynx-dev mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/lynx-dev
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net