Bug#507587: CVE-2008-5282: multiple buffer overflows

2008-12-23 Thread Nico Golde 
Hi,
CCed upstream.

I am not sure if it is enough to just fix this CVE id.
Browsing a bit in the code reveals quite a lot of additional 
buffer overflows.

From HTMLactions.c:
1264 void CheckUniqueName (Element el, Document doc, Attribute attr,
1265   AttributeType attrType)
1266 {
1267 #define MaxMsgLength 200
1268   ElementTypeelType;
1269   intlineNum, length;
1270   char  *name;
1271   char   msgBuffer[MaxMsgLength];
1272 
1273   elType = TtaGetElementType (el);
1274   if (attr)
1275 {
1276   name = (char*)GetXMLAttributeName (attrType, elType, doc);
1277   if (!strcmp (name, id))
1278 {
1279   if (!TtaIsValidID (attr, FALSE))
1280 {
1281   length = TtaGetTextAttributeLength (attr) + 1;
1282   name = (char *)TtaGetMemory (length);
1283   TtaGiveTextAttributeValue (attr, name, length);
1284   sprintf (msgBuffer, Invalid ID value \%s\, name);

This can result in a stack-based buffer overflow if !TtaIsValidID (attr, FALSE) 
is true.
This function is called if an attribute value is duplicated to generate an 
error message.
TtaGetTextAttributeLength() returns the length of the attribute, the return 
value here has
no upper limit. TtaGiveTextAttributeValue() then copies the attribute value 
into the allocated name 
buffer and msgBuffer will be overflowed (this also sets the length again to the 
read bytes).
Note that MaxMsgLength is defined as 200 and that a check for !name would also 
not hurt.

Same problem for the else case:
1292   else
1293 {
1294  // this function is optional because it increases the loading 
time
1295   if (Check_read_ids  MakeUniqueName (el, doc, FALSE, FALSE))
1296 {
1297   length = TtaGetTextAttributeLength (attr) + 1;
1298   name = (char *)TtaGetMemory (length);
1299   TtaGiveTextAttributeValue (attr, name, length);
1300   sprintf (msgBuffer, Duplicate ID value \%s\, name)

Similar things are done at other places. Looking on the overall code quality I
suggest we remove amaya from lenny unless someone is willing to do a complete 
audit.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpMS0Ls9GIkD.pgp
Description: PGP signature

Bug#507587: CVE-2008-5282: multiple buffer overflows

2008-12-23 Thread Irene Vatton 
Le mardi 23 décembre 2008 à 16:29 +0100, Nico Golde a écrit :
 Hi,
 CCed upstream.
 
 I am not sure if it is enough to just fix this CVE id.
 Browsing a bit in the code reveals quite a lot of additional 
 buffer overflows.

The new release 11.0.1 published today fixes several buffer overflows.
Your new reported overflow should be fixed in that release. Nevertheless
we plan to make a new corrective release end of January.

Regards
-- 
Irene Vatton irene.vat...@inria.fr
INRIA




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#507587: CVE-2008-5282: multiple buffer overflows

2008-12-23 Thread Nico Golde 
Hi,
* Irene Vatton irene.vat...@inria.fr [2008-12-23 17:46]:
 Le mardi 23 décembre 2008 à 16:29 +0100, Nico Golde a écrit :
  CCed upstream.
  
  I am not sure if it is enough to just fix this CVE id.
  Browsing a bit in the code reveals quite a lot of additional 
  buffer overflows.
 
 The new release 11.0.1 published today fixes several buffer overflows.
 Your new reported overflow should be fixed in that release.

How did you fix this? The function of the issue I reported 
still has the same code. Did you fix this without using 
snprintf??

 Nevertheless we plan to make a new corrective release end of January.

Steve, can you assign a CVE id to the issue I reported so we 
can track this issue as well?

Reference should be: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507587#15

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpGPnbuOKsnb.pgp
Description: PGP signature

Bug#507587: CVE-2008-5282: multiple buffer overflows

2008-12-23 Thread Regis Boudin 
Hi Nico,

Many thanks for the additional digging into the code. I'm curently on
holiday, but will try to find some time to work on bits. Will try to at
least make an upload of 11.0.1 tomorrow.

On Tue, 2008-12-23 at 16:29 +0100, Nico Golde wrote:
 Hi,
 CCed upstream.

 Similar things are done at other places. Looking on the overall code quality I
 suggest we remove amaya from lenny unless someone is willing to do a complete 
 audit.

Amaya isn't in Lenny, mainly because of a bug which was only fixed with
the switch to wx2.8, but the release came in too late.

Thanks again,

Regis




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#507587: CVE-2008-5282: multiple buffer overflows

2008-12-03 Thread Regis Boudin 
Hi Steffen,

Thanks for the report. I had a quick look at the advisory, apparently both
attacks have the same origin, TtaWCToMBstring().

Will have a look at fixing it, CC'ing upstream, since I haven't seen
anything about the advisory over there.

Regis

On Tue, December 2, 2008 19:20, Steffen Joeris wrote:
 Package: amaya
 Severity: grave
 Tags: security
 Justification: user security hole

 Hi,
 the following CVE (Common Vulnerabilities  Exposures) id was
 published for amaya.

 CVE-2008-5282[0]:
 | Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1
 | allow remote attackers to execute arbitrary code via (1) a link with a
 | long HREF attribute, and (2) a DIV tag with a long id attribute.

 If you fix the vulnerability please also make sure to include the
 CVE id in your changelog entry.

 Cheers
 Steffen

 For further information see:

 [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5282
 http://security-tracker.debian.net/tracker/CVE-2008-5282







--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#507587: CVE-2008-5282: multiple buffer overflows

2008-12-02 Thread Steffen Joeris 
Package: amaya
Severity: grave
Tags: security
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for amaya.

CVE-2008-5282[0]:
| Multiple stack-based buffer overflows in W3C Amaya Web Browser 10.0.1
| allow remote attackers to execute arbitrary code via (1) a link with a
| long HREF attribute, and (2) a DIV tag with a long id attribute.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5282
http://security-tracker.debian.net/tracker/CVE-2008-5282



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]