package: bidiv
version: 1.4-4
tags: security patch pending
Hi,
Attached is a small patch regarding allocation bug, which might produce
a security problem.
"... you allocated 1 char less then the needed amount (it is
necessary to have a place for the null terminator as well as the whole
line), therefore overwriting the following heap content with 2 null
bytes."
Steps already done:
1. Contact upstream to see if they have any comments about the patch or
if they'd like to add changes.
2. Prepare the package for upload to unstable (
http://svn.debian.org/wsvn/debian-hebrew/pkg/bidiv/trunk/ )
3. CCing the security team to coordinate upload to stable.
Lior Kaplan,
Debian Hebrew project
-------- Original Message --------
Subject: Fwd: Small fix for bidiv, might have security implications
Date: Sat, 7 Jan 2006 11:50:14 +0200
From: Shachar Raindel <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
I forward this e-mail to you as well since it seems that you might
also be related to this package maintenance
---------- Forwarded message ----------
From: Shachar Raindel <[EMAIL PROTECTED]>
Date: Jan 7, 2006 11:45 AM
Subject: Small fix for bidiv, might have security implications
To: Nadav Har'El <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Hi,
After having bidiv crashing on me when using it to filter a
directory listing, I took the time to run it through valgrind. I found
out that when allocating the Unicode storage strings (unicode_in and
unicode_out), you allocated 1 char less then the needed amount (it is
necessary to have a place for the null terminator as well as the whole
line), therefore overwriting the following heap content with 2 null
bytes. I haven't tried to exploit this, but it might (though very
unlikely) be possible to exploit this bug. I attach a patch against
the 1.4 version of bidiv which fixes this problem (and also frees the
memory it allocates when it is done with using it).
Thanks for the great tool anyway.
Regards,
Shachar
--
Lior Kaplan
[EMAIL PROTECTED]
http://www.Guides.co.il
Debian GNU/Linux unstable (SID)
--
Lior Kaplan
[EMAIL PROTECTED]
http://www.Guides.co.il
Debian GNU/Linux unstable (SID)
--- bidiv-1.4/bidiv-orig.c 2006-01-07 11:15:38.000000000 +0200
+++ bidiv-1.4/bidiv.c 2006-01-07 11:30:56.000000000 +0200
@@ -67,8 +67,8 @@
in=(char *)malloc(width+1);
out=(char *)malloc(width*7+1); /* 7 is the maximum number of
bytes in one UTF8 char? */
- unicode_in=(FriBidiChar *)malloc(sizeof(FriBidiChar)*width);
- unicode_out=(FriBidiChar *)malloc(sizeof(FriBidiChar)*width);
+ unicode_in=(FriBidiChar *)malloc(sizeof(FriBidiChar)*(width+1));
+ unicode_out=(FriBidiChar *)malloc(sizeof(FriBidiChar)*(width+1));
c=0;
while(c!=EOF){
@@ -212,6 +212,11 @@
putchar(' ');
puts(out);
}
+ // Free the memory we have allocated
+ free(in);
+ free(out);
+ free(unicode_in);
+ free(unicode_out);
}
int