Bugzilla – Attachment 53596 Details for
Bug 121926
VUL-0: CVE-2005-3120: lynx: buffer overflow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
lynx-backported.txt
lynx-backported.txt (text/plain), 13.63 KB, created by
Thomas Biege
on 2005-10-11 07:04:52 UTC
(
hide
)
Description:
lynx-backported.txt
Filename:
MIME Type:
Creator:
Thomas Biege
Created:
2005-10-11 07:04:52 UTC
Size:
13.63 KB
patch
obsolete
>From vendor-sec-admin@lst.de Mon Oct 10 22:38:42 2005 >Return-Path: <vendor-sec-admin@lst.de> >X-Original-To: thomas@wotan.suse.de >Received: from Relay2.suse.de (relay2.suse.de [IPv6:2001:780:101:0:211:25ff:fe4a:7b6e]) > by wotan.suse.de (Postfix) with ESMTP id B9D9C4224A4 > for <thomas@wotan.suse.de>; Mon, 10 Oct 2005 22:38:42 +0200 (CEST) >Received: by Relay2.suse.de (Postfix) > id 95B2C29BCF; Mon, 10 Oct 2005 22:38:42 +0200 (CEST) >Received: from Relay2.suse.de (localhost [127.0.0.1]) > by Relay2.suse.de (Postfix) with ESMTP id 52FB82C9A0; > Mon, 10 Oct 2005 22:38:42 +0200 (CEST) >Received: from Relay2.suse.de ([127.0.0.1]) > by Relay2.suse.de (Relay2 [127.0.0.1]) (amavisd-new, port 10026) with ESMTP > id 26302-10; Mon, 10 Oct 2005 22:38:41 +0200 (CEST) >Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by Relay2.suse.de (Postfix) with ESMTP id D58FF29BCF; > Mon, 10 Oct 2005 22:38:41 +0200 (CEST) >Received: from mail.lst.de (verein.lst.de [213.95.11.210]) > (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) > (No client certificate requested) > by mx2.suse.de (Postfix) with ESMTP id 8D84F1C005; > Mon, 10 Oct 2005 22:38:41 +0200 (CEST) >Received: from verein.lst.de (localhost [127.0.0.1]) > by mail.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id j9AKcH6s028169; > Mon, 10 Oct 2005 22:38:17 +0200 >Received: from hermes.mvista.com (gateway-1237.mvista.com [12.44.186.158]) > by mail.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id j9AKbc6s028131 > for <vendor-sec@lst.de>; Mon, 10 Oct 2005 22:37:39 +0200 >Received: from Bill-The-Cat (nexus.az.mvista.com [10.50.1.161]) > by hermes.mvista.com (Postfix) with ESMTP > id 3E5521A584; Mon, 10 Oct 2005 13:37:36 -0700 (PDT) >From: Tom Rini <trini@mvista.com> >To: Thomas Dickey <dickey@his.com> >Cc: Ulf Harnhammar <metaur@telia.com>, vendor-sec@lst.de, > naddy@mips.inka.de >Subject: Re: [vendor-sec] Re: Lynx Remote Buffer Overflow >Message-ID: <20051010203735.GG2092@stop.crashing.org> >References: <20051007230117.GA15637@localhost.localdomain> <20051008132501.U54168@mail.his.com> >Mime-Version: 1.0 >Content-Type: multipart/signed; micalg=pgp-sha1; > protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" >Content-Disposition: inline >In-Reply-To: <20051008132501.U54168@mail.his.com> >User-Agent: Mutt/1.5.9i >Sender: vendor-sec-admin@lst.de >Errors-To: vendor-sec-admin@lst.de >X-BeenThere: vendor-sec@lst.de >X-Mailman-Version: 2.0.11 >Precedence: bulk >List-Help: <mailto:vendor-sec-request@lst.de?subject=help> >List-Post: <mailto:vendor-sec@lst.de> >List-Subscribe: <https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec>, > <mailto:vendor-sec-request@lst.de?subject=subscribe> >List-Id: <vendor-sec.lst.de> >List-Unsubscribe: <https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec>, > <mailto:vendor-sec-request@lst.de?subject=unsubscribe> >List-Archive: <https://www.lst.de/cgi-bin/mailman/private/vendor-sec/> >X-Original-Date: Mon, 10 Oct 2005 13:37:35 -0700 >Date: Mon, 10 Oct 2005 13:37:35 -0700 >X-Virus-Scanned: by amavisd-new at Relay2.suse.de >X-Spam-Status: No, hits=0.0 tagged_above=-20.0 required=5.0 tests=BAYES_50 >X-Spam-Level: > > >--wac7ysb48OaltWcw >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >Content-Transfer-Encoding: quoted-printable > >On Sat, Oct 08, 2005 at 01:32:21PM -0400, Thomas Dickey wrote: >> On Sat, 8 Oct 2005, Ulf Harnhammar wrote: >[snip] >> >I hope that we can coordinate our respective updates for Lynx by >> >agreeing on a release date. >>=20 >> I've put a patch to address only this issue in >>=20 >> ftp://invisible-island.net/temp/lynx2.8.6dev.13e-special.patch.gz > >I've backported this to 2.8.4dev.20 (odd version, I know) and then up to >2.8.5. The following is the 2.8.5 version (2.8.4 requires fixing up 2 >rejects and stealing the NonNull macro from 2.8.5) > >--- lynx2-8-5/WWW/Library/Implementation/HTMIME.c.orig 2004-01-07 19:03:09.= >000000000 -0700 >+++ lynx2-8-5/WWW/Library/Implementation/HTMIME.c 2005-10-10 13:23:32.00000= >0000 -0700 >@@ -2062,27 +2062,23 @@ > ** > ** Written by S. Ichikawa, > ** partially inspired by encdec.c of <jh@efd.lth.se>. >-** Assume caller's buffer is LINE_LENGTH bytes, these decode to >-** no longer than the input strings. > */ >-#define LINE_LENGTH 512 /* Maximum length of line of ARTICLE etc */ >-#ifdef ESC >-#undef ESC >-#endif /* ESC */ > #include <LYCharVals.h> /* S/390 -- gil -- 0163 */ >-#define ESC CH_ESC >=20 > PRIVATE char HTmm64[] =3D > "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=3D" ; > PRIVATE char HTmmquote[] =3D "0123456789ABCDEF"; > PRIVATE int HTmmcont =3D 0; >=20 >-PUBLIC void HTmmdec_base64 ARGS2( >- char *, t, >+PRIVATE void HTmmdec_base64 ARGS2( >+ char **, t, > char *, s) > { > int d, count, j, val; >- char buf[LINE_LENGTH], *bp, nw[4], *p; >+ char *buf, *bp, nw[4], *p; >+ >+ if ((buf =3D malloc(strlen(s) * 3 + 1)) =3D=3D 0) >+ outofmem(__FILE__, "HTmmdec_base64"); >=20 > for (bp =3D buf; *s; s +=3D 4) { > val =3D 0; >@@ -2113,14 +2109,18 @@ > *bp++ =3D nw[2]; > } > *bp =3D '\0'; >- strcpy(t, buf); >+ StrAllocCopy(*t, buf); >+ FREE(buf); > } >=20 >-PUBLIC void HTmmdec_quote ARGS2( >- char *, t, >+PRIVATE void HTmmdec_quote ARGS2( >+ char **, t, > char *, s) > { >- char buf[LINE_LENGTH], cval, *bp, *p; >+ char *buf, cval, *bp, *p; >+ >+ if ((buf =3D malloc(strlen(s) + 1)) =3D=3D 0) >+ outofmem(__FILE__, "HTmmdec_quote"); >=20 > for (bp =3D buf; *s; ) { > if (*s =3D=3D '=3D') { >@@ -2147,23 +2147,27 @@ > } > } > *bp =3D '\0'; >- strcpy(t, buf); >+ StrAllocCopy(*t, buf); >+ FREE(buf); > } >=20 > /* > ** HTmmdecode for ISO-2022-JP - FM > */ > PUBLIC void HTmmdecode ARGS2( >- char *, trg, >+ char **, trg, > char *, str) > { >- char buf[LINE_LENGTH], mmbuf[LINE_LENGTH]; >+ char *buf; >+ char *mmbuf =3D NULL; >+ char *m2buf =3D NULL; > char *s, *t, *u; > int base64, quote; >=20 >- buf[0] =3D '\0'; >- >- for (s =3D str, u =3D buf; *s; ) { >+ if ((buf =3D malloc(strlen(str) + 1)) =3D=3D 0) >+ outofmem(__FILE__, "HTmmdecode"); >+ =20 >+ for (s =3D str, u =3D buf; *s;) { > if (!strncasecomp(s, "=3D?ISO-2022-JP?B?", 16)) { > base64 =3D 1; > } else { >@@ -2181,11 +2185,14 @@ > u--; > } > } >+ if (mmbuf =3D=3D 0) /* allocate buffer big enough for source */ >+ StrAllocCopy(mmbuf, str); > for (s +=3D 16, t =3D mmbuf; *s; ) { > if (s[0] =3D=3D '?' && s[1] =3D=3D '=3D') { > break; > } else { > *t++ =3D *s++; >+ *t =3D '\0'; > } > } > if (s[0] !=3D '?' || s[1] !=3D '=3D') { >@@ -2195,14 +2202,12 @@ > *t =3D '\0'; > } > if (base64) >- HTmmdec_base64(mmbuf, mmbuf); >+ HTmmdec_base64(&m2buf, mmbuf); > if (quote) >- HTmmdec_quote(mmbuf, mmbuf); >- for (t =3D mmbuf; *t; ) >+ HTmmdec_quote(&m2buf, mmbuf); >+ for (t =3D m2buf; *t; ) > *u++ =3D *t++; > HTmmcont =3D 1; >- /* if (*s =3D=3D ' ' || *s =3D=3D '\t') *u++ =3D *s; */ >- /* for ( ; *s =3D=3D ' ' || *s =3D=3D '\t'; s++) ; */ > } else { > if (*s !=3D ' ' && *s !=3D '\t') > HTmmcont =3D 0; >@@ -2211,7 +2216,10 @@ > } > *u =3D '\0'; > end: >- strcpy(trg, buf); >+ StrAllocCopy(*t, buf); >+ FREE(m2buf); >+ FREE(mmbuf); >+ FREE(buf); > } >=20 > /* >@@ -2219,22 +2227,27 @@ > ** (The author of this function "rjis" is S. Ichikawa.) > */ > PUBLIC int HTrjis ARGS2( >- char *, t, >+ char **, t, > char *, s) > { >- char *p, buf[LINE_LENGTH]; >+ char *p; >+ char *buf =3D NULL; > int kanji =3D 0; >=20 >- if (strchr(s, ESC) || !strchr(s, '$')) { >- if (s !=3D t) >- strcpy(t, s); >+ if (strchr(s, CH_ESC) || !strchr(s, '$')) { >+ if (s !=3D *t) >+ StrAllocCopy(*t, s); > return 1; > } >+ >+ if ((buf =3D malloc(strlen(s) * 2 + 1)) =3D=3D 0) >+ outofmem(__FILE__, "HTrjis"); >+ > for (p =3D buf; *s; ) { > if (!kanji && s[0] =3D=3D '$' && (s[1] =3D=3D '@' || s[1] =3D=3D 'B')) { > if (HTmaybekanji((int)s[2], (int)s[3])) { > kanji =3D 1; >- *p++ =3D ESC; >+ *p++ =3D CH_ESC; > *p++ =3D *s++; > *p++ =3D *s++; > *p++ =3D *s++; >@@ -2246,7 +2259,7 @@ > } > if (kanji && s[0] =3D=3D '(' && (s[1] =3D=3D 'J' || s[1] =3D=3D 'B')) { > kanji =3D 0; >- *p++ =3D ESC; >+ *p++ =3D CH_ESC; > *p++ =3D *s++; > *p++ =3D *s++; > continue; >@@ -2255,7 +2268,8 @@ > } > *p =3D *s; /* terminate string */ >=20 >- strcpy(t, buf); >+ StrAllocCopy(*t, buf); >+ FREE(buf); > return 0; > } >=20 >--- lynx2-8-5/WWW/Library/Implementation/HTMIME.h.orig 2003-01-22 02:43:13.= >000000000 -0700 >+++ lynx2-8-5/WWW/Library/Implementation/HTMIME.h 2005-10-10 13:23:32.00000= >0000 -0700 >@@ -67,20 +67,12 @@ > For handling Japanese headers. >=20 > */ >-extern void HTmmdec_base64 PARAMS(( >- char * t, >- char * s)); >- >-extern void HTmmdec_quote PARAMS(( >- char * t, >- char * s)); >- > extern void HTmmdecode PARAMS(( >- char * trg, >+ char ** trg, > char * str)); >=20 > extern int HTrjis PARAMS(( >- char * t, >+ char ** t, > char * s)); >=20 > extern int HTmaybekanji PARAMS(( >--- lynx2-8-5/WWW/Library/Implementation/HTNews.c.orig 2004-01-07 19:03:09.= >000000000 -0700 >+++ lynx2-8-5/WWW/Library/Implementation/HTNews.c 2005-10-10 13:24:48.00000= >0000 -0700 >@@ -940,7 +940,6 @@ > } > } >=20 >-#ifdef SH_EX /* for MIME */ > #ifdef NEWS_DEBUG > /* for DEBUG 1997/11/07 (Fri) 17:20:16 */ > void debug_print(unsigned char *p) >@@ -962,45 +961,15 @@ > } > #endif >=20 >-static char *decode_mime(char *str) >+static char *decode_mime(char **str) > { >- char temp[LINE_LENGTH]; /* FIXME: what determines the actual size? */ >- char *p, *q; >- >- if (str =3D=3D NULL) >- return ""; >- >+#ifdef SH_EX > if (HTCJK !=3D JAPANESE) >- return str; >- >- LYstrncpy(temp, str, sizeof(temp) - 1); >- q =3D temp; >- while ((p =3D strchr(q, '=3D')) !=3D 0) { >- if (p[1] =3D=3D '?') { >- HTmmdecode(p, p); >- q =3D p + 2; >- } else { >- q =3D p + 1; >- } >- } >-#ifdef NEWS_DEBUG >- printf("new=3D["); >- debug_print(temp); >+ return *str; > #endif >- HTrjis(temp, temp); >- strcpy(str, temp); >- >- return str; >+ HTmmdecode(str, *str); >+ return HTrjis(str, *str) ? *str : ""; > } >-#else /* !SH_EX */ >-static char *decode_mime ARGS1(char *, str) >-{ >- HTmmdecode(str, str); >- HTrjis(str, str); >- return str; >-} >-#endif >- >=20 > /* Read in an Article read_article > ** ------------------ >@@ -1087,22 +1056,22 @@ >=20 > } else if (match(full_line, "SUBJECT:")) { > StrAllocCopy(subject, HTStrip(strchr(full_line,':')+1)); >- decode_mime(subject); >+ decode_mime(&subject); > } else if (match(full_line, "DATE:")) { > StrAllocCopy(date, HTStrip(strchr(full_line,':')+1)); >=20 > } else if (match(full_line, "ORGANIZATION:")) { > StrAllocCopy(organization, > HTStrip(strchr(full_line,':')+1)); >- decode_mime(organization); >+ decode_mime(&organization); >=20 > } else if (match(full_line, "FROM:")) { > StrAllocCopy(from, HTStrip(strchr(full_line,':')+1)); >- decode_mime(from); >+ decode_mime(&from); >=20 > } else if (match(full_line, "REPLY-TO:")) { > StrAllocCopy(replyto, HTStrip(strchr(full_line,':')+1)); >- decode_mime(replyto); >+ decode_mime(&replyto); >=20 > } else if (match(full_line, "NEWSGROUPS:")) { > StrAllocCopy(newsgroups, HTStrip(strchr(full_line,':')+1)); >@@ -1711,8 +1680,8 @@ > int, last_required) > { > char line[LINE_LENGTH+1]; >- char author[LINE_LENGTH+1]; >- char subject[LINE_LENGTH+1]; >+ char *author =3D NULL; >+ char *subject =3D NULL; > char *date =3D NULL; > int i; > char *p; >@@ -1725,7 +1694,6 @@ > int status, count, first, last; /* Response fields */ > /* count is only an upper limit */ >=20 >- author[0] =3D '\0'; > START(HTML_HEAD); > PUTC('\n'); > START(HTML_TITLE); >@@ -1946,8 +1914,8 @@ > case 'S': > case 's': > if (match(line, "SUBJECT:")) { >- LYstrncpy(subject, line+9, sizeof(subject)-1);/* Save subject */ >- decode_mime(subject); >+ StrAllocCopy(subject, line + 9); >+ decode_mime(&subject); > } > break; >=20 >@@ -1964,10 +1932,8 @@ > case 'F': > if (match(line, "FROM:")) { > char * p2; >- LYstrncpy(author, >- author_name(strchr(line,':')+1), >- sizeof(author)-1); >- decode_mime(author); >+ StrAllocCopy(author, strchr(line, ':') + 1); >+ decode_mime(&author); > p2 =3D author + strlen(author) - 1; > if (*p2=3D=3DLF) > *p2 =3D '\0'; /* Chop off newline */ >@@ -1988,11 +1954,8 @@ >=20 > PUTC('\n'); > START(HTML_LI); >-#ifdef SH_EX /* for MIME */ >- HTSprintf0(&temp, "\"%s\"", decode_mime(subject)); >-#else >- HTSprintf0(&temp, "\"%s\"", subject); >-#endif >+ p =3D decode_mime(&subject); >+ HTSprintf0(&temp, "\"%s\"", NonNull(p)); > if (reference) { > write_anchor(temp, reference); > FREE(reference); >@@ -2001,18 +1964,14 @@ > } > FREE(temp); >=20 >- if (author[0] !=3D '\0') { >+ if (author !=3D NULL) { > PUTS(" - "); > if (LYListNewsDates) > START(HTML_I); >-#ifdef SH_EX /* for MIME */ >- PUTS(decode_mime(author)); >-#else >- PUTS(author); >-#endif >+ PUTS(decode_mime(&author)); > if (LYListNewsDates) > END(HTML_I); >- author[0] =3D '\0'; >+ FREE(author); > } > if (date) { > if (!diagnostic) { >@@ -2055,6 +2014,8 @@ > MAYBE_END(HTML_LI); > } /* Handle response to HEAD request */ > } /* Loop over article */ >+ FREE(author); >+ FREE(subject); > } /* If read headers */ > PUTC('\n'); > if (LYListNewsNumbers) > >--=20 >Tom > >--wac7ysb48OaltWcw >Content-Type: application/pgp-signature; name="signature.asc" >Content-Description: Digital signature >Content-Disposition: inline > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.1 (GNU/Linux) > >iD8DBQFDStEPdZngf2G4WwMRArAhAKCCP9CMLuVqKus50+dLY/r8pB2RgwCfYR86 >9bA1+7AjQlhLArfIevYNpO0= >=51ag >-----END PGP SIGNATURE----- > >--wac7ysb48OaltWcw-- >_______________________________________________ >Vendor Security mailing list >Vendor Security@lst.de >https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=53596">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 121926
: 53596 |
54774