Fw: Security concerns

Rob Kendrick Sat, 24 Jan 2009 14:54:56 -0800

Attached.  Have replied saying that many of the recently found holes
have either been fixed in recent versions, or are not our bug.  (malloc
etc not returning error when insufficient memory is available.)

B.

--- Begin Message ---

Hello,

During an audit of the NetSurf web browser using bf2 (Browser Fuzzer 2),
there were many potential security problems and denial of service
vulnerabilities uncovered. Attached you will find a text document along with
details and an archive of the HTML files that triggered the vulnerabilities
(Proof of Concepts). We urge you to investigate and issue fixes and/or
updated versions to remedy these vulnerabilities as quickly as possible. We
will be making these issues public if fixes and/or updated versions are
released within a reasonable time period, usually 2 weeks. Please try to
work with us on this window.

You can find out more information about bf2 @ http://www.krakowlabs.com

If you have any questions, feel free to ask.

-KL

html126.html (possibly memory corruption)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 4212)]
0x08060e45 in urldb_match_path (parent=0x9cee2c8,
    path=0x41b2e307 
"/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A"...,
    scheme=0x4192d008 "http", port=0) at content/urldb.c:1829
1829            slash = strchr(path + 1, '/');
(gdb) i r
eax            0x41b2e308       1102242568
ecx            0x9cee335        164553525
edx            0x1      1
ebx            0x9cee2c8        164553416
esp            0xbfe00ff0       0xbfe00ff0
ebp            0xbfe01018       0xbfe01018
esi            0x1      1
edi            0x41b2e307       1102242567
eip            0x8060e45        0x8060e45
eflags         0x10202  66050
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb)



html2803.html (integer problems, use larger values for possible crash)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 2591893 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.


html5877.html (integer problems, use larger values for possible crash)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 3028743 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.



html12952.html (possibly memory corruption)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 21614)]
0x08060e50 in urldb_match_path (parent=0x10365ad0,
    path=0x41ab330d 
"/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A"...,
    scheme=0x419a8008 "http", port=0) at content/urldb.c:1829
1829            slash = strchr(path + 1, '/');
(gdb) i r
eax            0x41ab330e       1101738766
ecx            0x10365b3d       271997757
edx            0x1      1
ebx            0x10365ad0       271997648
esp            0xbfe01000       0xbfe01000
ebp            0xbfe01028       0xbfe01028
esi            0x1      1
edi            0x41ab330d       1101738765
eip            0x8060e50        0x8060e50
eflags         0x210202 2163202
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb)


html16477.html (integer problems, use larger values for possible crash)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 12177 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.



html17749.html (integer problems, use larger values for possible crash)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 1234158 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.



html31059.html (possibly memory corruption)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 13119734 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.



html31184.html (possibly memory corruption)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 11029)]
0x40922ddd in strncmp () from /lib/libc.so.6
(gdb) i r
eax            0x0      0
ecx            0x2f2f   12079
edx            0x2f2f2f2f       791621423
ebx            0x8c468c0        147089600
esp            0xbfe00ffc       0xbfe00ffc
ebp            0xbfe01008       0xbfe01008
esi            0x1      1
edi            0x41b8f2f9       1102639865
eip            0x40922ddd       0x40922ddd
eflags         0x10296  66198
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb)



html31634.html (integer problems, use larger values for possible crash)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 409939 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.



html39585.html (integer problems, use larger values for possible crash)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 7103489 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.



html43295.html (integer problems, use larger values for possible crash)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 3299625 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.



html59513.html (integer problems, use larger values for possible crash)

The program 'nsgtk' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 14526060 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

Program exited with code 01.



html61182.html (possibly memory corruption)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 9341)]
0x08060e45 in urldb_match_path (parent=0xb1e1ca0,
    path=0x41cb22f9 
"/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A"...,
    scheme=0x419bd008 "http", port=0) at content/urldb.c:1829
1829            slash = strchr(path + 1, '/');
(gdb) i r
eax            0x41cb22fa       1103831802
ecx            0xb1e1d0d        186522893
edx            0x1      1
ebx            0xb1e1ca0        186522784
esp            0xbfe00ff0       0xbfe00ff0
ebp            0xbfe01018       0xbfe01018
esi            0x1      1
edi            0x41cb22f9       1103831801
eip            0x8060e45        0x8060e45
eflags         0x10206  66054
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb)



html61500.html (possibly memory corruption)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 10654)]
0x08060e45 in urldb_match_path (parent=0x9727388,
    path=0x41f192f9 
"/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A/A"...,
    scheme=0x41e0e008 "http", port=0) at content/urldb.c:1829
1829            slash = strchr(path + 1, '/');
(gdb) i r
eax            0x41f192fa       1106350842
ecx            0x97273f5        158495733
edx            0x1      1
ebx            0x9727388        158495624
esp            0xbfe00ff0       0xbfe00ff0
ebp            0xbfe01018       0xbfe01018
esi            0x1      1
edi            0x41f192f9       1106350841
eip            0x8060e45        0x8060e45
eflags         0x10206  66054
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb)

ns.tar.gz
Description: GNU Zip compressed data

--- End Message ---

Fw: Security concerns

Reply via email to