oss-sec mailing list archives
CVE id request for links2
From: Nico Golde <oss-security+ml () ngolde de>
Date: Tue, 10 Apr 2012 04:43:22 +0200
Hi,
we received the below bug report about memory handling problems in links2.
Can someone assign CVE ids to this?
Imho at list the first issue is debatable to not get an id. The infinite loop
is also a non-issue from my point of view.
Cheers
Nico
----- Forwarded message from Mikulas Patocka <mikulas () artax karlin mff cuni cz> -----
Subject: Bug#668227: links2: security bugs in links
Resent-To: debian-bugs-dist () lists debian org
Resent-Date: Mon, 09 Apr 2012 22:09:02 +0000
From: Mikulas Patocka <mikulas () artax karlin mff cuni cz>
To: Debian Bug Tracking System <submit () bugs debian org>
Message-ID: <20120409220450.13982.86610.reportbug@hydra>
X-Mailer: reportbug 4.12.6
Date: Tue, 10 Apr 2012 00:04:50 +0200
Package: links2
Version: 2.3~pre1-1
Severity: grave
Tags: security
Justification: user security hole
I discovered some out of memory accesses in links2 graphics mode that could be
potentially used to run exploits. I fixed them in links-2.6. For Debian
Squeeze, I am sending this patch that backports the fixes to links-2.3pre1.
Apply the patch and distribute patched packages links and links2 through
security.debian.org.
[...]
This patch fixes:
Buffer overflow when pasting too long text from clipboard to dialog boxes
(not remotely exploitable)
A write out of allocated memory in the graphics rendeder (potentionally
exploitable)
An infinite loop when parsing invalid usemap specification in text and
graphics mode (can cause browser lockup, but not otherwise exploitable)
Accesses out of memory in the xbm decoder (potentionally exploitable)
---
bfu.c | 3 ++-
dip.c | 3 ++-
html.c | 6 +++++-
xbm.c | 20 ++++++++++----------
4 files changed, 19 insertions(+), 13 deletions(-)
Index: links-2.3pre1/bfu.c
===================================================================
--- links-2.3pre1.orig/bfu.c 2012-04-09 23:39:47.000000000 +0200
+++ links-2.3pre1/bfu.c 2012-04-09 23:39:56.000000000 +0200
@@ -1382,7 +1382,8 @@ void dialog_func(struct window *win, str
clipbd_paste:
clipboard = get_clipboard_text(term);
if (clipboard) {
- if (strlen(di->cdata) < di->item->dlen - strlen(clipboard)) {
+ if (strlen(di->cdata) + strlen(clipboard) < (size_t)di->item->dlen ||
+ strlen(di->cdata) + strlen(clipboard) < strlen(di->cdata)) {
memmove(di->cdata + di->cpos + strlen(clipboard), di->cdata +
di->cpos, strlen(di->cdata) - di->cpos + 1);
memcpy(&di->cdata[di->cpos], clipboard, strlen(clipboard));
di->cpos += strlen(clipboard);
Index: links-2.3pre1/dip.c
===================================================================
--- links-2.3pre1.orig/dip.c 2012-04-09 23:39:47.000000000 +0200
+++ links-2.3pre1/dip.c 2012-04-09 23:39:56.000000000 +0200
@@ -1901,6 +1901,7 @@ int g_wrap_text(struct wrap_struct *w)
while (*w->text) {
int u;
int s;
+ unsigned char *l_text = w->text;
if (*w->text == ' ') w->last_wrap = w->text,
w->last_wrap_obj = w->obj;
GET_UTF_8(w->text, u);
@@ -1913,7 +1914,7 @@ int g_wrap_text(struct wrap_struct *w)
if (u != 0xad || *w->text == ' ') continue;
s = g_char_width(w->style, '-');
if (w->pos + s <= w->width || (!w->last_wrap && !w->last_wrap_obj)) {
- w->last_wrap = w->text;
+ w->last_wrap = l_text;
w->last_wrap_obj = w->obj;
continue;
}
Index: links-2.3pre1/html.c
===================================================================
--- links-2.3pre1.orig/html.c 2012-04-09 23:39:47.000000000 +0200
+++ links-2.3pre1/html.c 2012-04-09 23:39:56.000000000 +0200
@@ -2920,6 +2920,7 @@ int get_image_map(unsigned char *head, u
lblen = 0;
se3:
ss = s;
+ se4:
while (ss < eof && *ss != '<') ss++;
if (ss >= eof) {
mem_free(label);
@@ -2933,7 +2934,10 @@ int get_image_map(unsigned char *head, u
s = skip_comment(s, eof);
goto se3;
}
- if (parse_element(s, eof, NULL, NULL, NULL, &ss)) goto se3;
+ if (parse_element(s, eof, NULL, NULL, NULL, &ss)) {
+ ss = s + 1;
+ goto se4;
+ }
if (!((namelen == 1 && !casecmp(name, "A", 1)) ||
(namelen == 2 && !casecmp(name, "/A", 2)) ||
(namelen == 3 && !casecmp(name, "MAP", 3)) ||
Index: links-2.3pre1/xbm.c
===================================================================
--- links-2.3pre1.orig/xbm.c 2012-04-09 23:39:47.000000000 +0200
+++ links-2.3pre1/xbm.c 2012-04-09 23:39:56.000000000 +0200
@@ -44,7 +44,7 @@ struct xbm_decoder{
extern int get_foreground(int rgb);
unsigned char *my_memmem(unsigned char *, int, unsigned char *, int);
-void xbm_decode(struct cached_image *, unsigned char *, int);
+int xbm_decode(struct cached_image *, unsigned char *, int);
unsigned char *my_memmem(unsigned char *h, int hl, unsigned char *n, int nl)
@@ -138,7 +138,7 @@ static inline void put_eight(struct cach
/* opravdovy dekoder xbm, data jsou bez komentaru */
/* length is always !=NULL */
-void xbm_decode(struct cached_image *cimg, unsigned char *data, int length)
+int xbm_decode(struct cached_image *cimg, unsigned char *data, int length)
{
struct xbm_decoder *deco=(struct xbm_decoder *)cimg->decoder;
/* okurky v decu ;-) */
@@ -146,13 +146,13 @@ void xbm_decode(struct cached_image *cim
int must_return=0;
restart_again:
- if (must_return&&!length)return;
+ if (must_return&&!length)return 0;
must_return=0;
a=min(length,XBM_BUFFER_LEN-deco->buffer_pos);
memcpy(deco->buffer+deco->buffer_pos,data,a);
length-=a;
deco->buffer_pos+=a;
- if (!deco->buffer_pos)return; /* z toho nic plodnyho nevznikne */
+ if (!deco->buffer_pos)return 0; /* z toho nic plodnyho nevznikne */
data+=a;
if (!deco->in_data_block&&deco->partnum)
{
@@ -220,7 +220,7 @@ restart_again:
cimg->green_gamma=display_green_gamma;
cimg->blue_gamma=display_blue_gamma;
cimg->strip_optimized=0;
- if (header_dimensions_known(cimg)) {img_end(cimg);return;}
+ if (header_dimensions_known(cimg)) {img_end(cimg);return 1;}
deco->in_data_block=1;
p++;
@@ -239,7 +239,7 @@ restart_again:
deco->buffer_pos=a;
if (deco->partnum)must_return=1;
else put_eight(cimg,(b==16&&d>2)||(b==10&&deco->actual_eight>255)?16:8);
- if (deco->image_pos>=deco->pixels) {img_end(cimg);return;}
+ if (deco->image_pos>=deco->pixels) {img_end(cimg);return 1;}
goto restart_again;
}
@@ -261,9 +261,9 @@ cycle_again:
unsigned char *p;
p=memchr(data,'/',length);
if (!p){xbm_decode(cimg, data, length);return;}
- xbm_decode(cimg, data, p-data);
- data=p+1; /* preskocim lomitko */
+ if (xbm_decode(cimg, data, p-data)) return;
length-=p-data+1;
+ data=p+1; /* preskocim lomitko */
deco->state=1;
goto cycle_again;
}
@@ -271,7 +271,7 @@ cycle_again:
case 1: /* za 1. lomitkem */
{
if (*data=='*'){deco->state=2;data++;length--;goto cycle_again;} /* zacal komentar */
- xbm_decode(cimg, "/", 1);
+ if (xbm_decode(cimg, "/", 1)) return;
deco->state=0; /* to nebyl komentar */
goto cycle_again;
}
@@ -281,8 +281,8 @@ cycle_again:
unsigned char *p;
p=memchr(data,'*',length);
if (!p)return; /* furt komentar */
- data=p+1; /* preskocim hvezdicku */
length-=p-data+1;
+ data=p+1; /* preskocim hvezdicku */
deco->state=3;
goto cycle_again;
}
----- End forwarded message -----
--
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE id request for links2 Nico Golde (Apr 09)
- Re: CVE id request for links2 Huzaifa Sidhpurwala (Apr 09)
- Re: CVE id request for links2 Kurt Seifried (Apr 10)
- Re: CVE id request for links2 Nico Golde (Apr 11)
- Re: CVE id request for links2 Kurt Seifried (May 05)
- Re: CVE id request for links2 Nico Golde (Apr 11)