fedora-cvs-commits@redhat.com
[Top] [All Lists]

rpms/lynx/devel lynx-CAN-2005-3120.patch, NONE, 1.1 lynx.spec, 1.26, 1.2

Subject: rpms/lynx/devel lynx-CAN-2005-3120.patch, NONE, 1.1 lynx.spec, 1.26, 1.27
From:
Date: Mon, 17 Oct 2005 05:55:05 -0400
Author: twaugh

Update of /cvs/dist/rpms/lynx/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv28865

Modified Files:
        lynx.spec 
Added Files:
        lynx-CAN-2005-3120.patch 
Log Message:
* Mon Oct 17 2005 Tim Waugh <twaugh@xxxxxxxxxx> 2.8.5-24
- Apply patch to fix CAN-2005-3120 (bug #170253).


lynx-CAN-2005-3120.patch:
 CHANGES                             |    2 
 WWW/Library/Implementation/HTMIME.c |   85 +++++++++++++++++++++---------------
 WWW/Library/Implementation/HTMIME.h |   16 +-----
 WWW/Library/Implementation/HTNews.c |   79 +++++++++------------------------
 4 files changed, 78 insertions(+), 104 deletions(-)

--- NEW FILE lynx-CAN-2005-3120.patch ---
--- lynx2-8-5/WWW/Library/Implementation/HTMIME.c.CAN-2005-3120 2004-01-08 
02:03:09.000000000 +0000
+++ lynx2-8-5/WWW/Library/Implementation/HTMIME.c       2005-10-11 
12:14:22.000000000 +0100
@@ -2062,27 +2062,24 @@
 **
 **     Written by S. Ichikawa,
 **     partially inspired by encdec.c of <jh@xxxxxxxxxx>.
-**     Assume caller's buffer is LINE_LENGTH bytes, these decode to
-**     no longer than the input strings.
+**     Caller's buffers decode to no longer than the input strings.
 */
-#define LINE_LENGTH 512                /* Maximum length of line of ARTICLE 
etc */
-#ifdef ESC
-#undef ESC
-#endif /* ESC */
 #include <LYCharVals.h>  /* S/390 -- gil -- 0163 */
-#define ESC    CH_ESC
 
 PRIVATE char HTmm64[] =
     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" ;
 PRIVATE char HTmmquote[] = "0123456789ABCDEF";
 PRIVATE int HTmmcont = 0;
 
-PUBLIC void HTmmdec_base64 ARGS2(
-       char *,         t,
+static void HTmmdec_base64 ARGS2(
+       char **,        t,
        char *,         s)
 {
     int   d, count, j, val;
-    char  buf[LINE_LENGTH], *bp, nw[4], *p;
+    char  *buf, *bp, nw[4], *p;
+
+    if ((buf = malloc(strlen(s) * 3 + 1)) == 0)
+       outofmem(__FILE__, "HTmmdec_base64");
 
     for (bp = buf; *s; s += 4) {
        val = 0;
@@ -2113,14 +2110,18 @@
            *bp++ = nw[2];
     }
     *bp = '\0';
-    strcpy(t, buf);
+    StrAllocCopy(*t, buf);
+    FREE(buf);
 }
 
-PUBLIC void HTmmdec_quote ARGS2(
-       char *,         t,
+static void HTmmdec_quote ARGS2(
+       char **,        t,
        char *,         s)
 {
-    char  buf[LINE_LENGTH], cval, *bp, *p;
+    char  *buf, cval, *bp, *p;
+
+    if ((buf = malloc(strlen(s) + 1)) == 0)
+       outofmem(__FILE__, "HTmmdec_quote");
 
     for (bp = buf; *s; ) {
        if (*s == '=') {
@@ -2147,23 +2148,27 @@
        }
     }
     *bp = '\0';
-    strcpy(t, buf);
+    StrAllocCopy(*t, buf);
+    FREE(buf);
 }
 
 /*
 **     HTmmdecode for ISO-2022-JP - FM
 */
 PUBLIC void HTmmdecode ARGS2(
-       char *,         trg,
-       char *,         str)
+       char **,        target,
+       char *,         source)
 {
-    char buf[LINE_LENGTH], mmbuf[LINE_LENGTH];
+    char *buf;
+    char *mmbuf = NULL;
+    char *m2buf = NULL;
     char *s, *t, *u;
     int  base64, quote;
 
-    buf[0] = '\0';
+    if ((buf = malloc(strlen(source) + 1)) == 0)
+       outofmem(__FILE__, "HTmmdecode");
 
-    for (s = str, u = buf; *s; ) {
+    for (s = source, u = buf; *s; ) {
        if (!strncasecomp(s, "=?ISO-2022-JP?B?", 16)) {
            base64 = 1;
        } else {
@@ -2177,15 +2182,18 @@
        if (base64 || quote) {
            if (HTmmcont) {
                for (t = s - 1;
-                   t >= str && (*t == ' ' || *t == '\t'); t--) {
+                   t >= source && (*t == ' ' || *t == '\t'); t--) {
                        u--;
                }
            }
+           if (mmbuf == 0)     /* allocate buffer big enough for source */
+               StrAllocCopy(mmbuf, source);
            for (s += 16, t = mmbuf; *s; ) {
                if (s[0] == '?' && s[1] == '=') {
                    break;
                } else {
                    *t++ = *s++;
+                   *t = '\0';
                }
            }
            if (s[0] != '?' || s[1] != '=') {
@@ -2195,14 +2203,12 @@
                *t = '\0';
            }
            if (base64)
-               HTmmdec_base64(mmbuf, mmbuf);
+               HTmmdec_base64(&m2buf, mmbuf);
            if (quote)
-               HTmmdec_quote(mmbuf, mmbuf);
-           for (t = mmbuf; *t; )
+               HTmmdec_quote(&m2buf, mmbuf);
+           for (t = m2buf; *t; )
                *u++ = *t++;
            HTmmcont = 1;
-           /* if (*s == ' ' || *s == '\t') *u++ = *s; */
-           /* for ( ; *s == ' ' || *s == '\t'; s++) ; */
        } else {
            if (*s != ' ' && *s != '\t')
                HTmmcont = 0;
@@ -2211,7 +2217,10 @@
     }
     *u = '\0';
 end:
-    strcpy(trg, buf);
+    StrAllocCopy(*target, buf);
+    FREE(m2buf);
+    FREE(mmbuf);
+    FREE(buf);
 }
 
 /*
@@ -2219,22 +2228,27 @@
 **  (The author of this function "rjis" is S. Ichikawa.)
 */
 PUBLIC int HTrjis ARGS2(
-       char *,         t,
+       char **,        t,
        char *,         s)
 {
-    char *p, buf[LINE_LENGTH];
+    char *p;
+    char *buf = NULL;
     int kanji = 0;
 
-    if (strchr(s, ESC) || !strchr(s, '$')) {
-       if (s != t)
-           strcpy(t, s);
+    if (strchr(s, CH_ESC) || !strchr(s, '$')) {
+       if (s != *t)
+           StrAllocCopy(*t, s);
        return 1;
     }
+
+    if ((buf = malloc(strlen(s) * 2 + 1)) == 0)
+       outofmem(__FILE__, "HTrjis");
+
     for (p = buf; *s; ) {
        if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
            if (HTmaybekanji((int)s[2], (int)s[3])) {
                kanji = 1;
-               *p++ = ESC;
+               *p++ = CH_ESC;
                *p++ = *s++;
                *p++ = *s++;
                *p++ = *s++;
@@ -2246,7 +2260,7 @@
        }
        if (kanji && s[0] == '(' && (s[1] == 'J' || s[1] == 'B')) {
            kanji = 0;
-           *p++ = ESC;
+           *p++ = CH_ESC;
            *p++ = *s++;
            *p++ = *s++;
            continue;
@@ -2255,7 +2269,8 @@
     }
     *p = *s;   /* terminate string */
 
-    strcpy(t, buf);
+    StrAllocCopy(*t, buf);
+    FREE(buf);
     return 0;
 }
 
--- lynx2-8-5/WWW/Library/Implementation/HTMIME.h.CAN-2005-3120 2003-01-22 
09:43:13.000000000 +0000
+++ lynx2-8-5/WWW/Library/Implementation/HTMIME.h       2005-10-11 
12:14:22.000000000 +0100
@@ -67,21 +67,13 @@
   For handling Japanese headers.
 
 */
-extern void HTmmdec_base64 PARAMS((
-       char *  t,
-       char *  s));
-
-extern void HTmmdec_quote PARAMS((
-       char *  t,
-       char *  s));
-
 extern void HTmmdecode PARAMS((
-       char *  trg,
-       char *  str));
+       char **target,
+       char *source));
 
 extern int HTrjis PARAMS((
-       char *  t,
-       char *  s));
+       char **target,
+       char *source));
 
 extern int HTmaybekanji PARAMS((
        int     c1,
--- lynx2-8-5/WWW/Library/Implementation/HTNews.c.CAN-2005-3120 2004-01-08 
02:03:09.000000000 +0000
+++ lynx2-8-5/WWW/Library/Implementation/HTNews.c       2005-10-11 
12:14:22.000000000 +0100
@@ -940,7 +940,6 @@
     }
 }
 
-#ifdef SH_EX   /* for MIME */
 #ifdef NEWS_DEBUG
 /* for DEBUG 1997/11/07 (Fri) 17:20:16 */
 void debug_print(unsigned char *p)
@@ -962,44 +961,18 @@
 }
 #endif
 
-static char *decode_mime(char *str)
+static char *decode_mime(char **str)
 {
     char temp[LINE_LENGTH];    /* FIXME: what determines the actual size? */
     char *p, *q;
 
-    if (str == NULL)
-       return "";
-
+#ifdef SH_EX
     if (HTCJK != JAPANESE)
-       return str;
-
-    LYstrncpy(temp, str, sizeof(temp) - 1);
-    q = temp;
-    while ((p = strchr(q, '=')) != 0) {
-       if (p[1] == '?') {
-           HTmmdecode(p, p);
-           q = p + 2;
-       } else {
-           q = p + 1;
-       }
-    }
-#ifdef NEWS_DEBUG
-    printf("new=[");
-    debug_print(temp);
+       return *str;
 #endif
-    HTrjis(temp, temp);
-    strcpy(str, temp);
-
-    return str;
+    HTmmdecode(str, *str);
+    return HTrjis(str, *str) ? *str : "";
 }
-#else /* !SH_EX */
-static char *decode_mime ARGS1(char *, str)
-{
-    HTmmdecode(str, str);
-    HTrjis(str, str);
-    return str;
-}
-#endif
 
 
 /*     Read in an Article                                      read_article
@@ -1087,22 +1060,22 @@
 
                } else if (match(full_line, "SUBJECT:")) {
                    StrAllocCopy(subject, HTStrip(strchr(full_line,':')+1));
-                   decode_mime(subject);
+                   decode_mime(&subject);
                } else if (match(full_line, "DATE:")) {
                    StrAllocCopy(date, HTStrip(strchr(full_line,':')+1));
 
                } else if (match(full_line, "ORGANIZATION:")) {
                    StrAllocCopy(organization,
                                 HTStrip(strchr(full_line,':')+1));
-                   decode_mime(organization);
+                   decode_mime(&organization);
 
                } else if (match(full_line, "FROM:")) {
                    StrAllocCopy(from, HTStrip(strchr(full_line,':')+1));
-                   decode_mime(from);
+                   decode_mime(&from);
 
                } else if (match(full_line, "REPLY-TO:")) {
                    StrAllocCopy(replyto, HTStrip(strchr(full_line,':')+1));
-                   decode_mime(replyto);
+                   decode_mime(&replyto);
 
                } else if (match(full_line, "NEWSGROUPS:")) {
                    StrAllocCopy(newsgroups, HTStrip(strchr(full_line,':')+1));
@@ -1711,8 +1684,8 @@
        int,            last_required)
 {
     char line[LINE_LENGTH+1];
-    char author[LINE_LENGTH+1];
-    char subject[LINE_LENGTH+1];
+    char *author = NULL;
+    char *subject = NULL;
     char *date = NULL;
     int i;
     char *p;
@@ -1725,7 +1698,6 @@
     int status, count, first, last;    /* Response fields */
                                        /* count is only an upper limit */
 
-    author[0] = '\0';
     START(HTML_HEAD);
     PUTC('\n');
     START(HTML_TITLE);
@@ -1946,8 +1918,8 @@
                        case 'S':
                        case 's':
                            if (match(line, "SUBJECT:")) {
-                               LYstrncpy(subject, line+9, 
sizeof(subject)-1);/* Save subject */
-                               decode_mime(subject);
+                               StrAllocCopy(subject, line + 9);
+                               decode_mime(&subject);
                            }
                            break;
 
@@ -1964,10 +1936,8 @@
                        case 'F':
                            if (match(line, "FROM:")) {
                                char * p2;
-                               LYstrncpy(author,
-                                       author_name(strchr(line,':')+1),
-                                       sizeof(author)-1);
-                               decode_mime(author);
+                               StrAllocCopy(author, strchr(line, ':') + 1);
+                               decode_mime(&author);
                                p2 = author + strlen(author) - 1;
                                if (*p2==LF)
                                    *p2 = '\0'; /* Chop off newline */
@@ -1988,11 +1958,8 @@
 
                PUTC('\n');
                START(HTML_LI);
-#ifdef SH_EX   /* for MIME */
-               HTSprintf0(&temp, "\"%s\"", decode_mime(subject));
-#else
-               HTSprintf0(&temp, "\"%s\"", subject);
-#endif
+               p = decode_mime(&subject);
+               HTSprintf0(&temp, "\"%s\"", NonNull(p));
                if (reference) {
                    write_anchor(temp, reference);
                    FREE(reference);
@@ -2001,18 +1968,14 @@
                }
                FREE(temp);
 
-               if (author[0] != '\0') {
+               if (author != NULL) {
                     PUTS(" - ");
                     if (LYListNewsDates)
                         START(HTML_I);
-#ifdef SH_EX   /* for MIME */
-                    PUTS(decode_mime(author));
-#else
-                    PUTS(author);
-#endif
+                    PUTS(decode_mime(&author));
                     if (LYListNewsDates)
                         END(HTML_I);
-                    author[0] = '\0';
+                    FREE(author);
                }
                if (date) {
                    if (!diagnostic) {
@@ -2055,6 +2018,8 @@
                MAYBE_END(HTML_LI);
            } /* Handle response to HEAD request */
        } /* Loop over article */
+       FREE(author);
+       FREE(subject);
     } /* If read headers */
     PUTC('\n');
     if (LYListNewsNumbers)
--- lynx2-8-5/CHANGES.CAN-2005-3120     2004-02-04 12:07:09.000000000 +0000
+++ lynx2-8-5/CHANGES   2005-10-11 12:14:22.000000000 +0100
@@ -1,5 +1,7 @@
 Changes since Lynx 2.8 release
 ===============================================================================
+* eliminate fixed-size buffers in HTrjis() and related functions to avoid
+  potential buffer overflow in nntp pages (report by Ulf Harnhammar) -TD
 
 2004-02-04 (2.8.5rel.1)
 * build fixes for MINGW32 -DK


Index: lynx.spec
===================================================================
RCS file: /cvs/dist/rpms/lynx/devel/lynx.spec,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- lynx.spec   29 Mar 2005 15:59:39 -0000      1.26
+++ lynx.spec   17 Oct 2005 09:55:00 -0000      1.27
@@ -1,13 +1,14 @@
 Summary: A text-based Web browser.
 Name: lynx
 Version: 2.8.5
-Release: 23
+Release: 24
 License: GPL
 Group: Applications/Internet
 Source: http://lynx.isc.org/current/lynx2.8.5rel.1.tar.bz2
 URL: http://lynx.isc.org/
 Patch0: lynx-2.8.4-redhat.patch
 Patch1: lynx-crash.patch
+Patch2: lynx-CAN-2005-3120.patch
 Requires: indexhtml
 Provides: webclient
 BuildRequires: openssl-devel, pkgconfig, ncurses-devel >= 5.3-5, slang-devel, 
zlib-devel
@@ -23,6 +24,7 @@
 %setup -q -n lynx2-8-5
 %patch0 -p1 -b .redhat
 %patch1 -p1 -b .crash
+%patch2 -p1 -b .CAN-2005-3120
 perl -pi -e 
"s,^HELPFILE:.*,HELPFILE:file://localhost/usr/share/doc/lynx-%{version}/lynx_help/lynx_help_main.html,g"
 lynx.cfg
 perl -pi -e 
"s,^DEFAULT_INDEX_FILE:.*,DEFAULT_INDEX_FILE:http://www.google.com/,g"; lynx.cfg
 perl -pi -e 's,^#LOCALE_CHARSET:.*,LOCALE_CHARSET:TRUE,' lynx.cfg
@@ -92,6 +94,9 @@
 %config(noreplace,missingok) %{_sysconfdir}/lynx-site.cfg
 
 %changelog
+* Mon Oct 17 2005 Tim Waugh <twaugh@xxxxxxxxxx> 2.8.5-24
+- Apply patch to fix CAN-2005-3120 (bug #170253).
+
 * Tue Mar 29 2005 Tim Waugh <twaugh@xxxxxxxxxx> 2.8.5-23
 - Fixed fix for bug #90302 (bug #152146).
 

-- 
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits

<Prev in Thread] Current Thread [Next in Thread>
  • rpms/lynx/devel lynx-CAN-2005-3120.patch, NONE, 1.1 lynx.spec, 1.26, 1.27, fedora-cvs-commits <=