Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer Overflow still exists in Netscape <= 4.76

From: fish stiqz <fish () ANALOG ORG>
Date: Tue, 16 Jan 2001 14:40:03 -0500
Frank v Waveren <fvw () var cx> wrote:

No dice, apart from a slight rendering bug if you go to the end of the
password field, it doesn't appear to have any problems here.

[/home/fvw] netscape -v
Netscape Lite 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
[/home/fvw] rpm -qi netscape-navigator
Name        : netscape-navigator           Relocations: /usr
Version     : 4.76                              Vendor: Red Hat, Inc.
Release     : 0.6.2                         Build Date: Mon Nov 13 18:47:54 2000
Size        : 7690589                          License: Commercial
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary     : The Netscape Navigator Web browser.



The dice is rolling over here.
This is the exact rpm from the redhat update ftp site.  The md5sum matches
the one listed on their website (see below), and it crashes with the pages
I listed on the original post:
 -> http://fish.analog.org/~fish/crash_netscape2.html

$ cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
$ md5sum netscape-navigator-4.76-0.6.2.i386.rpm
670b08cbad1097f4ca923071c202b5dd  netscape-navigator-4.76-0.6.2.i386.rpm

 - Same rpm listed at http://www.redhat.com/support/errata/RHSA-2000-109.html:
670b08cbad1097f4ca923071c202b5dd  6.2/i386/netscape-navigator-4.76-0.6.2.i386.rpm

$ rpm -qi netscape-navigator
Name        : netscape-navigator           Relocations: /usr
Version     : 4.76                              Vendor: Red Hat, Inc.
Release     : 0.6.2                         Build Date: Mon 13 Nov 2000
12:47:54 PM EST
Install date: Tue 16 Jan 2001 01:45:38 PM EST      Build Host:
porky.devel.redhat.com
Group       : Applications/Internet         Source RPM:
netscape-4.76-0.6.2.src.rpm
Size        : 7690589                          License: Commercial
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary     : The Netscape Navigator Web browser.
Description :
Netscape Navigator is the industry-leading Web browser. It supports
the latest HTML standards, Java, JavaScript and some style sheets.

Information on the Netscape Navigator license may be found in the file
/usr/doc/netscape-common-%{version}/LICENSE.

This will install the basic Netscape Navigator Web browser.
If you want additional features, such as the Usenet news reader and
HTML editor, you should install the netscape-communicator package.


- This is the same version you are using!  It definitely crashes for me,
(see below).


$ rpm -qf /usr/lib/netscape/netscape-navigator
netscape-navigator-4.76-0.6.2

$ gdb /usr/lib/netscape/netscape-navigator
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) set args http://fish.analog.org/~fish/crash_netscape2.html
(gdb) run
Starting program: /usr/lib/netscape/netscape-navigator
http://fish.analog.org/~fish/crash_netscape2.html

Program received signal SIGSEGV, Segmentation fault.
0x4002c4d3 in XtCallCallbackList () from /usr/X11R6/lib/libXt.so.6
(gdb) info all-registers
eax            0x40063bc4       1074150340
ecx            0x41414141       1094795585
edx            0x186a0  100000
ebx            0x40065a2c       1074158124
esp            0xbfffdab4       -1073751372
ebp            0xbfffdac8       -1073751352
esi            0xbfffdb90       -1073751152
edi            0x41414145       1094795589
eip            0x4002c4d3       1073923283
eflags         0x10202  66050
<snip>


I have also gotten this to crash on the latest debian-unstable.
$ dpkg --print-avail netscape
Package: netscape
Priority: optional
Section: contrib/web
Installed-Size: 22
Maintainer: Ryan Murray <rmurray () debian org>
Architecture: i386
Source: netscape4.base
Version: 1:4.76-1
Depends: communicator | navigator

Exactly what did you do that it didn't segfault on you?  In all my tests
Netscape has died either as soon as the page loads or as soon as you try
to go somewhere else (or reload).


--
+---------------------------------------------------------------------------+
|  fish stiqz <fish () analog org>    <*)))-<     ** yum, yum, delicious **    |
+---------------------------------------------------------------------------+
Previous By Date Next
Previous By Thread Next

Current thread: