Bug 136629 - VUL-0: libwww: several buffer overfows in HTBoundary_put_block()
Summary: VUL-0: libwww: several buffer overfows in HTBoundary_put_block()
Status: RESOLVED INVALID
Alias: None
Product: SUSE Linux 10.1
Classification: openSUSE
Component: Other (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Daniel egger
QA Contact: E-mail List
URL:
Whiteboard: CVE-2005-3183: CVSS v2 Base Score: 4....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-02 07:46 UTC by Thomas Biege
Modified: 2009-10-13 20:41 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-12-02 07:46:58 UTC 
[USN-220-1] w3c-libwww vulnerability
Von: 
Martin Pitt <martin.pitt@canonical.com>
  An: 
ubuntu-security-announce@lists.ubuntu.com
  Kopie: 
full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
  Datum: 
Gestern 13:37:30
   
  Spam-Status: Spamassassin Mit 0% iger Wahrscheinlichkeit Spam.

Ausführlicher Bericht:
No, hits=-3.3 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_06_12 autolearn=no version=2.64  
Nachricht wurde signiert mit dem unbekannten Schlüssel 0x0DE7276D5E0577F2.
Die Gültigkeit der Signatur konnte nicht überprüft werden.
Status:Kein öffentlicher Schlüssel zur Überprüfung der Signatur vorhanden
  ===========================================================
Ubuntu Security Notice USN-220-1          December 01, 2005
w3c-libwww vulnerability
CVE-2005-3183
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libwww0

The problem can be corrected by upgrading the affected package to
version 5.4.0-9ubuntu0.4.10 (for Ubuntu 4.10), 5.4.0-9ubuntu0.5.04
(for Ubuntu 5.04), or 5.4.0-9ubuntu0.5.10 (for Ubuntu 5.10).  In
general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Sam Varshavchik discovered several buffer overflows in the
HTBoundary_put_block() function. By sending specially crafted HTTP
multipart/byteranges MIME messages, a malicious HTTP server could
trigger an out of bounds memory access in the libwww library, which
causes the program that uses the library to crash.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0-9ubuntu0.4.10.diff.gz
      Size/MD5:   510355 15f9592db51864e0e060fe1f3a6f63f6
    http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0-9ubuntu0.4.10.dsc
      Size/MD5:      714 637bf331ecefe995ae2ef4b280e2bc2b
    http://security.ubuntu.com/ubuntu/pool/main/w/w3c-libwww/w3c-libwww_5.4.0.orig.tar.gz
      Size/MD5:  1127018 a6073cda765b7f9fa0970eb92757f6bb
Comment 1 Marcus Meissner 2005-12-02 10:54:12 UTC 
Funny... daniel egger has left the company years ago, how is it possible
to assign bugs to him ... ;)

w3c-libwww is in no maintained product anymore.
Comment 2 Thomas Biege 2009-10-13 20:41:23 UTC 
CVE-2005-3183: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)