Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120410024322.GJ16793@ngolde.de>
Date: Tue, 10 Apr 2012 04:43:22 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: CVE id request for links2

Hi, 
we received the below bug report about memory handling problems in links2.
Can someone assign CVE ids to this?
Imho at list the first issue is debatable to not get an id. The infinite loop 
is also a non-issue from my point of view.

Cheers
Nico

----- Forwarded message from Mikulas Patocka <mikulas@...ax.karlin.mff.cuni.cz> -----

Subject: Bug#668227: links2: security bugs in links
Resent-To: debian-bugs-dist@...ts.debian.org
Resent-Date: Mon, 09 Apr 2012 22:09:02 +0000
From: Mikulas Patocka <mikulas@...ax.karlin.mff.cuni.cz>
To: Debian Bug Tracking System <submit@...s.debian.org>
Message-ID: <20120409220450.13982.86610.reportbug@...ra>
X-Mailer: reportbug 4.12.6
Date: Tue, 10 Apr 2012 00:04:50 +0200

Package: links2
Version: 2.3~pre1-1
Severity: grave
Tags: security
Justification: user security hole

I discovered some out of memory accesses in links2 graphics mode that could be
potentially used to run exploits. I fixed them in links-2.6. For Debian
Squeeze, I am sending this patch that backports the fixes to links-2.3pre1.
Apply the patch and distribute patched packages links and links2 through
security.debian.org.


[...] 
This patch fixes:

Buffer overflow when pasting too long text from clipboard to dialog boxes
	(not remotely exploitable)
A write out of allocated memory in the graphics rendeder (potentionally
	exploitable)
An infinite loop when parsing invalid usemap specification in text and
	graphics mode (can cause browser lockup, but not otherwise exploitable)
Accesses out of memory in the xbm decoder (potentionally exploitable)

---
 bfu.c  |    3 ++-
 dip.c  |    3 ++-
 html.c |    6 +++++-
 xbm.c  |   20 ++++++++++----------
 4 files changed, 19 insertions(+), 13 deletions(-)

Index: links-2.3pre1/bfu.c
===================================================================
--- links-2.3pre1.orig/bfu.c	2012-04-09 23:39:47.000000000 +0200
+++ links-2.3pre1/bfu.c	2012-04-09 23:39:56.000000000 +0200
@@ -1382,7 +1382,8 @@ void dialog_func(struct window *win, str
 clipbd_paste:
 					clipboard = get_clipboard_text(term);
 					if (clipboard) {
-						if (strlen(di->cdata) < di->item->dlen - strlen(clipboard)) {
+						if (strlen(di->cdata) + strlen(clipboard) < (size_t)di->item->dlen ||
+						    strlen(di->cdata) + strlen(clipboard) < strlen(di->cdata)) {
 							memmove(di->cdata + di->cpos + strlen(clipboard), di->cdata + di->cpos, strlen(di->cdata) - di->cpos + 1);
 							memcpy(&di->cdata[di->cpos], clipboard, strlen(clipboard));
 							di->cpos += strlen(clipboard);
Index: links-2.3pre1/dip.c
===================================================================
--- links-2.3pre1.orig/dip.c	2012-04-09 23:39:47.000000000 +0200
+++ links-2.3pre1/dip.c	2012-04-09 23:39:56.000000000 +0200
@@ -1901,6 +1901,7 @@ int g_wrap_text(struct wrap_struct *w)
 	while (*w->text) {
 		int u;
 		int s;
+		unsigned char *l_text = w->text;
 		if (*w->text == ' ') w->last_wrap = w->text,
 				     w->last_wrap_obj = w->obj;
 		GET_UTF_8(w->text, u);
@@ -1913,7 +1914,7 @@ int g_wrap_text(struct wrap_struct *w)
 			if (u != 0xad || *w->text == ' ') continue;
 			s = g_char_width(w->style, '-');
 			if (w->pos + s <= w->width || (!w->last_wrap && !w->last_wrap_obj)) {
-				w->last_wrap = w->text;
+				w->last_wrap = l_text;
 				w->last_wrap_obj = w->obj;
 				continue;
 			}
Index: links-2.3pre1/html.c
===================================================================
--- links-2.3pre1.orig/html.c	2012-04-09 23:39:47.000000000 +0200
+++ links-2.3pre1/html.c	2012-04-09 23:39:56.000000000 +0200
@@ -2920,6 +2920,7 @@ int get_image_map(unsigned char *head, u
 		lblen = 0;
 		se3:
 		ss = s;
+		se4:
 		while (ss < eof && *ss != '<') ss++;
 		if (ss >= eof) {
 			mem_free(label);
@@ -2933,7 +2934,10 @@ int get_image_map(unsigned char *head, u
 			s = skip_comment(s, eof);
 			goto se3;
 		}
-		if (parse_element(s, eof, NULL, NULL, NULL, &ss)) goto se3;
+		if (parse_element(s, eof, NULL, NULL, NULL, &ss)) {
+			ss = s + 1;
+			goto se4;
+		}
 		if (!((namelen == 1 && !casecmp(name, "A", 1)) ||
 		      (namelen == 2 && !casecmp(name, "/A", 2)) ||
 		      (namelen == 3 && !casecmp(name, "MAP", 3)) ||
Index: links-2.3pre1/xbm.c
===================================================================
--- links-2.3pre1.orig/xbm.c	2012-04-09 23:39:47.000000000 +0200
+++ links-2.3pre1/xbm.c	2012-04-09 23:39:56.000000000 +0200
@@ -44,7 +44,7 @@ struct xbm_decoder{
 extern int get_foreground(int rgb);
 
 unsigned char *my_memmem(unsigned char *, int, unsigned char *, int);
-void xbm_decode(struct cached_image *, unsigned char *, int);
+int xbm_decode(struct cached_image *, unsigned char *, int);
 
 
 unsigned char *my_memmem(unsigned char *h, int hl, unsigned char *n, int nl)
@@ -138,7 +138,7 @@ static inline void put_eight(struct cach
 
 /* opravdovy dekoder xbm, data jsou bez komentaru */
 /* length is always !=NULL */
-void xbm_decode(struct cached_image *cimg, unsigned char *data, int length)
+int xbm_decode(struct cached_image *cimg, unsigned char *data, int length)
 {
 	struct xbm_decoder *deco=(struct xbm_decoder *)cimg->decoder;
 	/* okurky v decu ;-) */
@@ -146,13 +146,13 @@ void xbm_decode(struct cached_image *cim
 	int must_return=0;
 
 restart_again:
-	if (must_return&&!length)return;
+	if (must_return&&!length)return 0;
 	must_return=0;
 	a=min(length,XBM_BUFFER_LEN-deco->buffer_pos);
 	memcpy(deco->buffer+deco->buffer_pos,data,a);
 	length-=a;
 	deco->buffer_pos+=a;
-	if (!deco->buffer_pos)return; 	/* z toho nic plodnyho nevznikne */
+	if (!deco->buffer_pos)return 0; 	/* z toho nic plodnyho nevznikne */
 	data+=a;
 	if (!deco->in_data_block&&deco->partnum)
 	{
@@ -220,7 +220,7 @@ restart_again:
 			cimg->green_gamma=display_green_gamma;
 			cimg->blue_gamma=display_blue_gamma;
 			cimg->strip_optimized=0;
-			if (header_dimensions_known(cimg)) {img_end(cimg);return;}
+			if (header_dimensions_known(cimg)) {img_end(cimg);return 1;}
 			
 			deco->in_data_block=1;
 			p++;
@@ -239,7 +239,7 @@ restart_again:
 		deco->buffer_pos=a;
 		if (deco->partnum)must_return=1;
 		else put_eight(cimg,(b==16&&d>2)||(b==10&&deco->actual_eight>255)?16:8);
-		if (deco->image_pos>=deco->pixels) {img_end(cimg);return;}
+		if (deco->image_pos>=deco->pixels) {img_end(cimg);return 1;}
 		goto restart_again;
 		
 	}
@@ -261,9 +261,9 @@ cycle_again:
 			unsigned char *p;
 			p=memchr(data,'/',length);
 			if (!p){xbm_decode(cimg, data, length);return;}
-			xbm_decode(cimg, data, p-data);
-			data=p+1;	/* preskocim lomitko */
+			if (xbm_decode(cimg, data, p-data)) return;
 			length-=p-data+1;
+			data=p+1;	/* preskocim lomitko */
 			deco->state=1;
 			goto cycle_again;
 		}
@@ -271,7 +271,7 @@ cycle_again:
 		case 1: /* za 1. lomitkem */
 		{
 			if (*data=='*'){deco->state=2;data++;length--;goto cycle_again;}	/* zacal komentar */
-			xbm_decode(cimg, "/", 1);
+			if (xbm_decode(cimg, "/", 1)) return;
 			deco->state=0;	/* to nebyl komentar */
 			goto cycle_again;
 		}
@@ -281,8 +281,8 @@ cycle_again:
 			unsigned char *p;
 			p=memchr(data,'*',length);
 			if (!p)return;	/* furt komentar */
-			data=p+1;	/* preskocim hvezdicku */
 			length-=p-data+1;
+			data=p+1;	/* preskocim hvezdicku */
 			deco->state=3;
 			goto cycle_again;
 		}


----- End forwarded message -----

-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.