[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Lynx-dev] CAN-2005-3120
|
From: |
Atsuhito Kohda |
|
Subject: |
[Lynx-dev] CAN-2005-3120 |
|
Date: |
Thu, 01 Jun 2006 21:53:53 +0900 (JST) |
Hi all,
I got an email from Debian security team today;
it seems that CAN-2005-3120 is not fixed in the current version
of lynx-cur in testing/unstable. I'm attaching the patch from
Ulf.
Ulf H?rnhammar discovered a buffer overflow that can be remotely
exploited. During the handling of Asian characters when connecting
to an NNTP server lynx can be tricked to write past the boundary
of a buffer which can lead to the execution of arbitrary code.
with an patch
--- WWW/Library/Implementation/HTMIME.c.old 2004-01-08 03:03:09.000000000
+0100
+++ WWW/Library/Implementation/HTMIME.c 2005-09-25 17:25:02.499592560 +0200
@@ -2230,7 +2230,7 @@ PUBLIC int HTrjis ARGS2(
strcpy(t, s);
return 1;
}
- for (p = buf; *s; ) {
+ for (p = buf; *s && p < buf + LINE_LENGTH - 8; ) {
if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
if (HTmaybekanji((int)s[2], (int)s[3])) {
kanji = 1;
@@ -2253,7 +2253,7 @@ PUBLIC int HTrjis ARGS2(
}
*p++ = *s++;
}
- *p = *s; /* terminate string */
+ *p = '\0'; /* terminate string */
strcpy(t, buf);
return 0;
This is not cleanly applied (one need to modify manually)
and a bit insufficient because LINE_LENGTH is not defined
in HTMIME.c of 2.8.6dev.17
I'd like to know the real fix of the problem.
Regards, 2006-6-1(Thu)
--
Debian Developer & Debian JP Developer - much more I18N of Debian
Atsuhito Kohda <kohda AT debian.org>
Department of Math., Univ. of Tokushima
- [Lynx-dev] CAN-2005-3120,
Atsuhito Kohda <=