Re: Buffer overflow in the StringQuotedWord() function

[William Bader]

The attached patch should fix both of the CVEs.

The one in StringQuotedWord was more complicated because it was due to a string longer than MAX_BUFF, and when I fixed the access there, other places had errors.

The one in srcnext needed only an extra test in a loop.

I tested the manual in doc/user before and after, and the only differences seemed to be places that embedded the current time.

Regards, William

---

From: Reinoud Zandijk <reinoud@13thmonkey.org>
Sent: Thursday, October 22, 2020 4:54 AM
To: William Bader <williambader@hotmail.com>
Cc: Jeffrey Kingston <jeffrey.kingston@sydney.edu.au>; Matěj Cepl <mcepl@cepl.eu>; lout-users@nongnu.org <lout-users@nongnu.org>
Subject: Re: Buffer overflow in the StringQuotedWord() function

 

On Wed, Oct 21, 2020 at 03:37:15AM +0000, William Bader wrote:
> I have active projects that use lout, and my diff file of small fixes and
> enhancement to lout-3.40 is now over 1300 lines.  Would it be possible to
> find a home for the 3.40 source on github or
> https://www.freedesktop.org/wiki/ so that patches can at least be posted as
> issues even if there is never another release?  Someone posted 3.39 as
> https://github.com/thektulu/lout Someone posted some data fixes as
> https://github.com/EPadronU/lout github has some other projects called lout,
> but I think that they are for Logging OUTput of web apps.  Has anyone looked
> at the memory issues?  StringQuotedWord lout-3.40/z39.c:254:66 looks easy to
> fix by checking that q < &buf[MAX_BUF-2] in the loop.  srcnext
> lout-3.40/z02.c:381:26 is more complicated. Does it have to check that limit
> > mem_block?  Regards, William

A shared repository would be handy indeed. If don't know if github is a good
idea since it can frament a lot but it needs a maintainer/shared git account
so it doesn't get lost.

Its sad to see linux distro's already dumping it.

With regards,
Reinoud

lout-3.40-cve.pat
Description: lout-3.40-cve.pat