Bug#507587: CVE-2008-5282: multiple buffer overflows
Hi, CCed upstream. I am not sure if it is enough to just fix this CVE id. Browsing a bit in the code reveals quite a lot of additional buffer overflows. From HTMLactions.c: 1264 void CheckUniqueName (Element el, Document doc, Attribute attr, 1265 AttributeType attrType) 1266 { 1267 #define MaxMsgLength 200 1268 ElementTypeelType; 1269 intlineNum, length; 1270 char *name; 1271 char msgBuffer[MaxMsgLength]; 1272 1273 elType = TtaGetElementType (el); 1274 if (attr) 1275 { 1276 name = (char*)GetXMLAttributeName (attrType, elType, doc); 1277 if (!strcmp (name, id)) 1278 { 1279 if (!TtaIsValidID (attr, FALSE)) 1280 { 1281 length = TtaGetTextAttributeLength (attr) + 1; 1282 name = (char *)TtaGetMemory (length); 1283 TtaGiveTextAttributeValue (attr, name, length); 1284 sprintf (msgBuffer, Invalid ID value \%s\, name); This can result in a stack-based buffer overflow if !TtaIsValidID (attr, FALSE) is true. This function is called if an attribute value is duplicated to generate an error message. TtaGetTextAttributeLength() returns the length of the attribute, the return value here has no upper limit. TtaGiveTextAttributeValue() then copies the attribute value into the allocated name buffer and msgBuffer will be overflowed (this also sets the length again to the read bytes). Note that MaxMsgLength is defined as 200 and that a check for !name would also not hurt. Same problem for the else case: 1292 else 1293 { 1294 // this function is optional because it increases the loading time 1295 if (Check_read_ids MakeUniqueName (el, doc, FALSE, FALSE)) 1296 { 1297 length = TtaGetTextAttributeLength (attr) + 1; 1298 name = (char *)TtaGetMemory (length); 1299 TtaGiveTextAttributeValue (attr, name, length); 1300 sprintf (msgBuffer, Duplicate ID value \%s\, name) Similar things are done at other places. Looking on the overall code quality I suggest we remove amaya from lenny unless someone is willing to do a complete audit. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpMS0Ls9GIkD.pgp Description: PGP signature
Bug#507587: CVE-2008-5282: multiple buffer overflows
Le mardi 23 décembre 2008 à 16:29 +0100, Nico Golde a écrit : Hi, CCed upstream. I am not sure if it is enough to just fix this CVE id. Browsing a bit in the code reveals quite a lot of additional buffer overflows. The new release 11.0.1 published today fixes several buffer overflows. Your new reported overflow should be fixed in that release. Nevertheless we plan to make a new corrective release end of January. Regards -- Irene Vatton irene.vat...@inria.fr INRIA -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#507587: CVE-2008-5282: multiple buffer overflows
Hi, * Irene Vatton irene.vat...@inria.fr [2008-12-23 17:46]: Le mardi 23 décembre 2008 à 16:29 +0100, Nico Golde a écrit : CCed upstream. I am not sure if it is enough to just fix this CVE id. Browsing a bit in the code reveals quite a lot of additional buffer overflows. The new release 11.0.1 published today fixes several buffer overflows. Your new reported overflow should be fixed in that release. How did you fix this? The function of the issue I reported still has the same code. Did you fix this without using snprintf?? Nevertheless we plan to make a new corrective release end of January. Steve, can you assign a CVE id to the issue I reported so we can track this issue as well? Reference should be: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507587#15 Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpGPnbuOKsnb.pgp Description: PGP signature
Bug#507587: CVE-2008-5282: multiple buffer overflows
Hi Nico, Many thanks for the additional digging into the code. I'm curently on holiday, but will try to find some time to work on bits. Will try to at least make an upload of 11.0.1 tomorrow. On Tue, 2008-12-23 at 16:29 +0100, Nico Golde wrote: Hi, CCed upstream. Similar things are done at other places. Looking on the overall code quality I suggest we remove amaya from lenny unless someone is willing to do a complete audit. Amaya isn't in Lenny, mainly because of a bug which was only fixed with the switch to wx2.8, but the release came in too late. Thanks again, Regis -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#507587: CVE-2008-5282: multiple buffer overflows
Hi Steffen, Thanks for the report. I had a quick look at the advisory, apparently both attacks have the same origin, TtaWCToMBstring(). Will have a look at fixing it, CC'ing upstream, since I haven't seen anything about the advisory over there. Regis On Tue, December 2, 2008 19:20, Steffen Joeris wrote: Package: amaya Severity: grave Tags: security Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for amaya. CVE-2008-5282[0]: | Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1 | allow remote attackers to execute arbitrary code via (1) a link with a | long HREF attribute, and (2) a DIV tag with a long id attribute. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5282 http://security-tracker.debian.net/tracker/CVE-2008-5282 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#507587: CVE-2008-5282: multiple buffer overflows
Package: amaya Severity: grave Tags: security Justification: user security hole Hi, the following CVE (Common Vulnerabilities Exposures) id was published for amaya. CVE-2008-5282[0]: | Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1 | allow remote attackers to execute arbitrary code via (1) a link with a | long HREF attribute, and (2) a DIV tag with a long id attribute. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5282 http://security-tracker.debian.net/tracker/CVE-2008-5282 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]