Bug 159597
Summary: | CAN-2005-3183 Multiple bugs in libwww - one exploitable - in Library/src/HTBound.c | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sam Varshavchik <mrsam> | ||||
Component: | w3c-libwww | Assignee: | Harald Hoyer <harald> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4 | CC: | atterer, gisle, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | impact=low,source=redhat,public=20051007,reported=20050605 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2005-11-15 09:54:26 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Sam Varshavchik
2005-06-05 15:53:07 UTC
hmm... lines 64-69 are wrapped in "if (l>0)" else if (l>0) { me->dash = 0; me->bpos = me->boundary; me->state = EOL_BEGIN; } I think you mean: if (*b == '-') { me->dash++; } else if (*b != CR && *b != LF) { me->dash = 0; me->state = EOL_BEGIN; } ??? Did you get s.th. upstream? Since this bug was reported, I also identified multiple other defects in libwww's original HTBound.c. It's fundamental logic is inherently broken. I've dumped HTBound.c, rewritten it from scratch, and now I'm maintaining my own source tree, for my own purposes. I could not make contact with anyone who claims to be maintaining libwww @ W3C, to contribute my revised module. It does not appear to be actively maintained any more. libwww has been dropped from Fedora, which is probably for the best. well, dropped from Fedora it is, but RHEL may need a security erratum. Care to attach your HTBound.c version? Thank you very much for reporting and analyzing this issue! Created attachment 118820 [details]
My working version of HTBound.c
I'm flipping this to FC4, as this is going to affect FC4 and FC3. This issue has been made public in our FC[34] update. I'm opening it up to the public. > All libwww clients are vulnerable, including the LWP
> Perl module.
I'm the author of LWP and I don't belive the statement quoted above
to be true. LWP does not rely on the w3c-libwww code. Its only
parsing of multipart messages is in the _parts() function of
HTTP::Message and that method is pure perl code with not buffer
overflow issues.
CVE-2005-3183 Maybe Affects: FC3 [#159597:ASSIGNED] -> FEDORA-2005-953 CVE-2005-3183 Maybe Affects: FC4 [#159597:ASSIGNED] -> FEDORA-2005-952 We have applied Sam's patch in CVS. It will be included it in the upcoming release 5.4.1 . . . |