On Sun, Jan 07, 2007 at 08:06:58PM +0100, Laszlo Boszormenyi wrote: > Hi Joe, > > As maintainer of the Debian packages, I got a bugreport[1] that > uri_lookup(x) macro (src/ne_uri.c:ne_uri_parse():179) can't handle > non-ascii characters. It contains a test case which crashes OO.org . > Proposed fix is attached. Is it acceptable or do you have an other fix?
Hi Laszlo, thanks a lot for the report and patch (which looks exactly right). Since this bug could be triggered by a remote malicious server in e.g. the PROPFIND/207 response parsing, it should be treated as a security issue. The CVE name CVE-2007-0157 has been assigned to this issue for tracking purposes. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0157 "Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index." I'll get fixed tarballs out ASAP. Regards, joe _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
