rpms/lynx/FC-3 lynx-CAN-2005-3120.patch, NONE, 1.1 lynx.spec, 1.20, 1.21
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Oct 17 09:51:35 UTC 2005
Author: twaugh
Update of /cvs/dist/rpms/lynx/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv25685
Modified Files:
lynx.spec
Added Files:
lynx-CAN-2005-3120.patch
Log Message:
* Tue Oct 11 2005 Tim Waugh <twaugh at redhat.com> 2.8.5-18.0.1
- Apply patch to fix CAN-2005-3120 (bug #170253).
lynx-CAN-2005-3120.patch:
CHANGES | 2
WWW/Library/Implementation/HTMIME.c | 85 +++++++++++++++++++++---------------
WWW/Library/Implementation/HTMIME.h | 16 +-----
WWW/Library/Implementation/HTNews.c | 79 +++++++++------------------------
4 files changed, 78 insertions(+), 104 deletions(-)
--- NEW FILE lynx-CAN-2005-3120.patch ---
--- lynx2-8-5/WWW/Library/Implementation/HTMIME.c.CAN-2005-3120 2003-01-22 09:43:13.000000000 +0000
+++ lynx2-8-5/WWW/Library/Implementation/HTMIME.c 2005-10-11 12:22:27.000000000 +0100
@@ -2065,27 +2065,24 @@
**
** Written by S. Ichikawa,
** partially inspired by encdec.c of <jh at efd.lth.se>.
-** Assume caller's buffer is LINE_LENGTH bytes, these decode to
-** no longer than the input strings.
+** Caller's buffers decode to no longer than the input strings.
*/
-#define LINE_LENGTH 512 /* Maximum length of line of ARTICLE etc */
-#ifdef ESC
-#undef ESC
-#endif /* ESC */
#include <LYCharVals.h> /* S/390 -- gil -- 0163 */
-#define ESC CH_ESC
PRIVATE char HTmm64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" ;
PRIVATE char HTmmquote[] = "0123456789ABCDEF";
PRIVATE int HTmmcont = 0;
-PUBLIC void HTmmdec_base64 ARGS2(
- char *, t,
+static void HTmmdec_base64 ARGS2(
+ char **, t,
char *, s)
{
int d, count, j, val;
- char buf[LINE_LENGTH], *bp, nw[4], *p;
+ char *buf, *bp, nw[4], *p;
+
+ if ((buf = malloc(strlen(s) * 3 + 1)) == 0)
+ outofmem(__FILE__, "HTmmdec_base64");
for (bp = buf; *s; s += 4) {
val = 0;
@@ -2116,14 +2113,18 @@
*bp++ = nw[2];
}
*bp = '\0';
- strcpy(t, buf);
+ StrAllocCopy(*t, buf);
+ FREE(buf);
}
-PUBLIC void HTmmdec_quote ARGS2(
- char *, t,
+static void HTmmdec_quote ARGS2(
+ char **, t,
char *, s)
{
- char buf[LINE_LENGTH], cval, *bp, *p;
+ char *buf, cval, *bp, *p;
+
+ if ((buf = malloc(strlen(s) + 1)) == 0)
+ outofmem(__FILE__, "HTmmdec_quote");
for (bp = buf; *s; ) {
if (*s == '=') {
@@ -2150,23 +2151,27 @@
}
}
*bp = '\0';
- strcpy(t, buf);
+ StrAllocCopy(*t, buf);
+ FREE(buf);
}
/*
** HTmmdecode for ISO-2022-JP - FM
*/
PUBLIC void HTmmdecode ARGS2(
- char *, trg,
- char *, str)
+ char **, target,
+ char *, source)
{
- char buf[LINE_LENGTH], mmbuf[LINE_LENGTH];
+ char *buf;
+ char *mmbuf = NULL;
+ char *m2buf = NULL;
char *s, *t, *u;
int base64, quote;
- buf[0] = '\0';
+ if ((buf = malloc(strlen(source) + 1)) == 0)
+ outofmem(__FILE__, "HTmmdecode");
- for (s = str, u = buf; *s; ) {
+ for (s = source, u = buf; *s; ) {
if (!strncasecomp(s, "=?ISO-2022-JP?B?", 16)) {
base64 = 1;
} else {
@@ -2180,15 +2185,18 @@
if (base64 || quote) {
if (HTmmcont) {
for (t = s - 1;
- t >= str && (*t == ' ' || *t == '\t'); t--) {
+ t >= source && (*t == ' ' || *t == '\t'); t--) {
u--;
}
}
+ if (mmbuf == 0) /* allocate buffer big enough for source */
+ StrAllocCopy(mmbuf, source);
for (s += 16, t = mmbuf; *s; ) {
if (s[0] == '?' && s[1] == '=') {
break;
} else {
*t++ = *s++;
+ *t = '\0';
}
}
if (s[0] != '?' || s[1] != '=') {
@@ -2198,14 +2206,12 @@
*t = '\0';
}
if (base64)
- HTmmdec_base64(mmbuf, mmbuf);
+ HTmmdec_base64(&m2buf, mmbuf);
if (quote)
- HTmmdec_quote(mmbuf, mmbuf);
- for (t = mmbuf; *t; )
+ HTmmdec_quote(&m2buf, mmbuf);
+ for (t = m2buf; *t; )
*u++ = *t++;
HTmmcont = 1;
- /* if (*s == ' ' || *s == '\t') *u++ = *s; */
- /* for ( ; *s == ' ' || *s == '\t'; s++) ; */
} else {
if (*s != ' ' && *s != '\t')
HTmmcont = 0;
@@ -2214,7 +2220,10 @@
}
*u = '\0';
end:
- strcpy(trg, buf);
+ StrAllocCopy(*target, buf);
+ FREE(m2buf);
+ FREE(mmbuf);
+ FREE(buf);
}
/*
@@ -2222,22 +2231,27 @@
** (The author of this function "rjis" is S. Ichikawa.)
*/
PUBLIC int HTrjis ARGS2(
- char *, t,
+ char **, t,
char *, s)
{
- char *p, buf[LINE_LENGTH];
+ char *p;
+ char *buf = NULL;
int kanji = 0;
- if (strchr(s, ESC) || !strchr(s, '$')) {
- if (s != t)
- strcpy(t, s);
+ if (strchr(s, CH_ESC) || !strchr(s, '$')) {
+ if (s != *t)
+ StrAllocCopy(*t, s);
return 1;
}
+
+ if ((buf = malloc(strlen(s) * 2 + 1)) == 0)
+ outofmem(__FILE__, "HTrjis");
+
for (p = buf; *s; ) {
if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
if (HTmaybekanji((int)s[2], (int)s[3])) {
kanji = 1;
- *p++ = ESC;
+ *p++ = CH_ESC;
*p++ = *s++;
*p++ = *s++;
*p++ = *s++;
@@ -2249,7 +2263,7 @@
}
if (kanji && s[0] == '(' && (s[1] == 'J' || s[1] == 'B')) {
kanji = 0;
- *p++ = ESC;
+ *p++ = CH_ESC;
*p++ = *s++;
*p++ = *s++;
continue;
@@ -2258,7 +2272,8 @@
}
*p = *s; /* terminate string */
- strcpy(t, buf);
+ StrAllocCopy(*t, buf);
+ FREE(buf);
return 0;
}
--- lynx2-8-5/WWW/Library/Implementation/HTMIME.h.CAN-2005-3120 2003-01-22 09:43:13.000000000 +0000
+++ lynx2-8-5/WWW/Library/Implementation/HTMIME.h 2005-10-11 12:22:27.000000000 +0100
@@ -67,21 +67,13 @@
For handling Japanese headers.
*/
-extern void HTmmdec_base64 PARAMS((
- char * t,
- char * s));
-
-extern void HTmmdec_quote PARAMS((
- char * t,
- char * s));
-
extern void HTmmdecode PARAMS((
- char * trg,
- char * str));
+ char **target,
+ char *source));
extern int HTrjis PARAMS((
- char * t,
- char * s));
+ char **target,
+ char *source));
extern int HTmaybekanji PARAMS((
int c1,
--- lynx2-8-5/WWW/Library/Implementation/HTNews.c.CAN-2005-3120 2003-06-02 02:16:28.000000000 +0100
+++ lynx2-8-5/WWW/Library/Implementation/HTNews.c 2005-10-11 12:22:27.000000000 +0100
@@ -937,7 +937,6 @@
}
}
-#ifdef SH_EX /* for MIME */
#ifdef NEWS_DEBUG
/* for DEBUG 1997/11/07 (Fri) 17:20:16 */
void debug_print(unsigned char *p)
@@ -959,44 +958,18 @@
}
#endif
-static char *decode_mime(char *str)
+static char *decode_mime(char **str)
{
char temp[LINE_LENGTH]; /* FIXME: what determines the actual size? */
char *p, *q;
- if (str == NULL)
- return "";
-
+#ifdef SH_EX
if (HTCJK != JAPANESE)
- return str;
-
- LYstrncpy(temp, str, sizeof(temp) - 1);
- q = temp;
- while ((p = strchr(q, '=')) != 0) {
- if (p[1] == '?') {
- HTmmdecode(p, p);
- q = p + 2;
- } else {
- q = p + 1;
- }
- }
-#ifdef NEWS_DEBUG
- printf("new=[");
- debug_print(temp);
+ return *str;
#endif
- HTrjis(temp, temp);
- strcpy(str, temp);
-
- return str;
+ HTmmdecode(str, *str);
+ return HTrjis(str, *str) ? *str : "";
}
-#else /* !SH_EX */
-static char *decode_mime ARGS1(char *, str)
-{
- HTmmdecode(str, str);
- HTrjis(str, str);
- return str;
-}
-#endif
/* Read in an Article read_article
@@ -1084,22 +1057,22 @@
} else if (match(full_line, "SUBJECT:")) {
StrAllocCopy(subject, HTStrip(strchr(full_line,':')+1));
- decode_mime(subject);
+ decode_mime(&subject);
} else if (match(full_line, "DATE:")) {
StrAllocCopy(date, HTStrip(strchr(full_line,':')+1));
} else if (match(full_line, "ORGANIZATION:")) {
StrAllocCopy(organization,
HTStrip(strchr(full_line,':')+1));
- decode_mime(organization);
+ decode_mime(&organization);
} else if (match(full_line, "FROM:")) {
StrAllocCopy(from, HTStrip(strchr(full_line,':')+1));
- decode_mime(from);
+ decode_mime(&from);
} else if (match(full_line, "REPLY-TO:")) {
StrAllocCopy(replyto, HTStrip(strchr(full_line,':')+1));
- decode_mime(replyto);
+ decode_mime(&replyto);
} else if (match(full_line, "NEWSGROUPS:")) {
StrAllocCopy(newsgroups, HTStrip(strchr(full_line,':')+1));
@@ -1708,8 +1681,8 @@
int, last_required)
{
char line[LINE_LENGTH+1];
- char author[LINE_LENGTH+1];
- char subject[LINE_LENGTH+1];
+ char *author = NULL;
+ char *subject = NULL;
char *date = NULL;
int i;
char *p;
@@ -1722,7 +1695,6 @@
int status, count, first, last; /* Response fields */
/* count is only an upper limit */
- author[0] = '\0';
START(HTML_HEAD);
PUTC('\n');
START(HTML_TITLE);
@@ -1943,8 +1915,8 @@
case 'S':
case 's':
if (match(line, "SUBJECT:")) {
- LYstrncpy(subject, line+9, sizeof(subject)-1);/* Save subject */
- decode_mime(subject);
+ StrAllocCopy(subject, line + 9);
+ decode_mime(&subject);
}
break;
@@ -1961,10 +1933,8 @@
case 'F':
if (match(line, "FROM:")) {
char * p2;
- LYstrncpy(author,
- author_name(strchr(line,':')+1),
- sizeof(author)-1);
- decode_mime(author);
+ StrAllocCopy(author, strchr(line, ':') + 1);
+ decode_mime(&author);
p2 = author + strlen(author) - 1;
if (*p2==LF)
*p2 = '\0'; /* Chop off newline */
@@ -1985,11 +1955,8 @@
PUTC('\n');
START(HTML_LI);
-#ifdef SH_EX /* for MIME */
- HTSprintf0(&temp, "\"%s\"", decode_mime(subject));
-#else
- HTSprintf0(&temp, "\"%s\"", subject);
-#endif
+ p = decode_mime(&subject);
+ HTSprintf0(&temp, "\"%s\"", NonNull(p));
if (reference) {
write_anchor(temp, reference);
FREE(reference);
@@ -1998,18 +1965,14 @@
}
FREE(temp);
- if (author[0] != '\0') {
+ if (author != NULL) {
PUTS(" - ");
if (LYListNewsDates)
START(HTML_I);
-#ifdef SH_EX /* for MIME */
- PUTS(decode_mime(author));
-#else
- PUTS(author);
-#endif
+ PUTS(decode_mime(&author));
if (LYListNewsDates)
END(HTML_I);
- author[0] = '\0';
+ FREE(author);
}
if (date) {
if (!diagnostic) {
@@ -2052,6 +2015,8 @@
MAYBE_END(HTML_LI);
} /* Handle response to HEAD request */
} /* Loop over article */
+ FREE(author);
+ FREE(subject);
} /* If read headers */
PUTC('\n');
if (LYListNewsNumbers)
--- lynx2-8-5/CHANGES.CAN-2005-3120 2003-06-02 02:16:28.000000000 +0100
+++ lynx2-8-5/CHANGES 2005-10-11 12:22:27.000000000 +0100
@@ -1,5 +1,7 @@
Changes since Lynx 2.8 release
===============================================================================
+* eliminate fixed-size buffers in HTrjis() and related functions to avoid
+ potential buffer overflow in nntp pages (report by Ulf Harnhammar) -TD
2003-06-01 (2.8.5dev.16)
+ add zh_CN.po from
Index: lynx.spec
===================================================================
RCS file: /cvs/dist/rpms/lynx/FC-3/lynx.spec,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- lynx.spec 9 Sep 2004 08:10:32 -0000 1.20
+++ lynx.spec 17 Oct 2005 09:51:32 -0000 1.21
@@ -1,7 +1,7 @@
Summary: A text-based Web browser.
Name: lynx
Version: 2.8.5
-Release: 18
+Release: 18.0.1
License: GPL
Group: Applications/Internet
Source: http://lynx.isc.org/current/lynx2.8.5dev.16.tar.bz2
@@ -11,6 +11,7 @@
URL: http://lynx.isc.org/
Patch0: lynx-2.8.4-redhat.patch
Patch2: lynx-284-i18ncfg.patch
+Patch3: lynx-CAN-2005-3120.patch
Requires: indexhtml
Provides: webclient
BuildRequires: openssl-devel, pkgconfig, ncurses-devel >= 5.3-5, slang-devel, zlib-devel
@@ -26,6 +27,7 @@
%setup -q -n lynx2-8-5
%patch0 -p1 -b .redhat
%patch2 -p1 -b .i18ncfg
+%patch3 -p1 -b .CAN-2005-3120
perl -pi -e "s,^HELPFILE:.*,HELPFILE:file://localhost/usr/share/doc/lynx-%{version}/lynx_help/lynx_help_main.html,g" lynx.cfg
perl -pi -e "s,^DEFAULT_INDEX_FILE:.*,DEFAULT_INDEX_FILE:http://www.google.com/,g" lynx.cfg
@@ -99,6 +101,9 @@
%lang(sk) %config %{_sysconfdir}/lynx.cfg.sk
%changelog
+* Tue Oct 11 2005 Tim Waugh <twaugh at redhat.com> 2.8.5-18.0.1
+- Apply patch to fix CAN-2005-3120 (bug #170253).
+
* Thu Jul 8 2004 Tim Waugh <twaugh at redhat.com> 2.8.5-18
- Removed perl dependencies (bug #127423).
More information about the fedora-cvs-commits
mailing list