[sword-devel] installmgr (and xiphos) crashes (svn 2831)

Jaak Ristioja jaak at ristioja.ee
Wed Jun 26 06:12:04 MST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This might not be directly related, but looking at curlhttpt.cpp, the
line:

  sprintf(possibleName, "%.*s", possibleNameLength, pBuf);

Is a potential buffer overflow, because the possibleName buffer is 400
bytes, but possibleNameLength is not checked to be < 400. So the
server might cause a buffer overflow. Imho this is a security issue.

Looking at the quality of this code, I'm not suprised.

Blessings,
Jaak

On 26.06.2013 15:51, Mark Trompell wrote:
> I'm trying to access a http repository
> (http://marktrompell.de/sword/) installmgr -r works fine, -rl too
> but installmgr segfaults on -ri Same for Xiphos, I can refresh and
> see what modules are there, but it crashes when I try to install. 
> Probably the repository isn't properly setup, but nevertheless
> sword shouldn't crash. Attaching 2 backtraces, one from installmgr
> and the otherone from xiphos.
> 
> Blessings Mark -- Mark Trompell
> 
> Foresight Linux Xfce Edition Cause your desktop should be freaking
> cool (and Xfce)
> 
> 
> 
> _______________________________________________ sword-devel mailing
> list: sword-devel at crosswire.org 
> http://www.crosswire.org/mailman/listinfo/sword-devel Instructions
> to unsubscribe/change your settings at above page
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iQgcBAEBAgAGBQJRyuiaAAoJEEqsYmEt1rCO7cBAAKoKkjX/RQ9EqLMrCXnCK17e
ZI8+b6cOjqnpFjo/EUagCK0ktlxU8o7zUOe6yHQc7fwdD8AnHa049zKRI2sHaM/S
+mf+hX/5rez+br6h8lcmHTFrZ3KA189TcGMv60f8Th/WR01LsSfyIBwJl5EIS4zT
IrleVfJFi0AvyBMK68mqbQdOZA7dr1Pm1TxhUL22cnpjP2a3n1viYu22swSAj1kA
QQnc7Qv6PfD0eiwkd+ty4a7goQ6gjNWbcsaTRYYfdJ7+MuNAuP6xxVvKSBpXZEg1
+XEpRUwyjhfvepWtHbHlwWiZhvopQWurcCeJsq6m0vIteeI/T6Qbbv2TvoK1JaIB
21Z0Dtq5g3aSV8qxBB5GPcYRSPJQ01PZ2km3ijOYrWjnWbO8EPC1FNg9dxp17DU1
CBRkm7RxYm+3oxU5H9nXF7QhXKZeo+tiKrm7kglaMs1Xon4jIHZQh304MmFalnel
FKfgi17gPhk5EdBIf9nvt9mW8raUsYFB6sZp9ajTrs58XqIfjRhVaaLYivmQIIL9
KCWj5D7T9uy3VM02YaYgCUb6fRLvdhN4WZ3ZQ5/dCrO0576I1sKsyqmSEA1aFwPC
TkRdT48mXwm6A7wUUESL92J8ShbsMiqYyJwdCDsFK6nrL+Zgt0vFHQNNzFL2LqNx
pfGMCsFj8pV4e38ujnjMaQ7i2sOHiSPQLJ7tVeSYSQIk20LGM8uwqqsEyefgtRCk
639cyBCoTGLow6x2L7e71+tS2kT06xPqV2kcdGVt7ThnmwOqIrtl1Y4aO1Yp9BY4
DEIXesfR9TagDqzvZKfH576tKnphFz95aUMwx+9/FVfpjGn5l9z/0qbE/oCAh6wf
l9tu1Y1c3dAzRrY/sYCKZu926qUt0q26Z4hgWyN5rBfmmAV1beyO6yqr7t4/m3JM
2y1JhHsMBPv1Oz1TLZ9koEhE4lDy16blsKAA5S+WkaF+GsHd9M07XqFTAH1cxjhS
EHZU7Y8a35jg8VhUibT1uytlgJITUaAPW+WV5O8ZrfO8W6In74OH0npskOIGXISp
YkSi1hm2zhrK5FctzUgAxbD62r5l49APKJSlHHU9bjtb+UonQNx+D8cPU/6YZ0+c
XRIECR7sCK2HRM7utKg+w48jqmfkJmIl4InCnEKNOO91By/n9I90rZgBuIeUIdDz
WQmuFAe15sbCKZC0fwCqtnzp61ZuqTli2ORwp6wOYmPCJSoIpI8qXAcRR9OfvF5F
gkreSpCwO35QXYwnNIrm0/k9qAFsRlBLespq0KzCRfp0MNxbFxHJa6OzoIDR+pmv
1tGXAsmRRydyH9JOGXXEvK1WkrmaUFruYfauQ7bMORpx/+MuVVxi0PCEp0oXfh2f
PRjmamNuVTZFVL3BKNJLXzkX54YdxSXzinCREmr/aXRv+zHbx9VzqgZ6OMBSJXUB
hiEC4Z6D/zhTBZwjudGojC7G/Danptb1MahfJp+rNYjus0+Rm7ceLgbKOGfwxKnC
QsaeKDdvTX+y6E+0tsHsRoFh7iyP3Si7N6HimI4dDyILUpWP62Xkkm+jfkDK7cFW
jcOxMq0ZSRZAqnAwSKwdJ5pyTHwnSHxI4HBkG9Z7kaW3/q3IBYNhjmCsmfahRZ3/
mUVxBTGEnyS9YUzzDRurto3ME+IAFspHj8rIGzcNDheFc72Y3ViBnHfxAaJZAmJd
hbX6JVNOdQgq3xoJaI03nGCEE6VxcaXavNpIVSLkC3JQK4Q4CkPgny5Z5MTnqjsf
4ypxAfhQyQtWzOONFdll/MUbxiN66O56n/X+PbLBG6VrsJF84Mb9DiW5n9gzQ6a8
HR/k5PTEUZgPeAyF0GWeI4ftIQSFWVOLZX8Z2AtkPfIrkl+gaK9WtPwci3L5OFOY
QuQuQkfqMOPB4HeLfp+fob6hmRJCkYtiWTC2Vu5eHMl3kbnHn5jYCmk+U7B4cqsJ
tT9KUOpujXsTr8Xqzz60GPFGJORMqZzgFCOco3l4JDH139N/FoOrlJKxZFsVSJws
p5VRybZzXahdEo2yQAKPKf2EBSA38hcl3Hp/ThY0Gcy6UovFzmzGmWZ/2QHXFkCS
nvkd0xSihI19iUd40RVViN+eZvbfnH2pEPCzc23vstbbLC5FQx09vc5E7fHCobBF
N/8D9KOxrj8jXUPYRxCa6gq6OJ3SsrOcxA3pMgXeA7nm1zAJfLzXET5svTvYLF96
UKEfVFTfqQG3fmu9hj99WIAlxWfCcg8o3kkQeqTRjlNbI5x6jBl/Z9zzc1QzupP0
27XLiWQ/2PhddgaoOIHtfgle0LCi2G3ijrco9d/RJRgI40m85zAXV4xPNZ/GHmg4
CnJ+WVVF4mrLRF0qqIXdO21Akuz4yEn3a2+7dra7fN2HmvtL7pFIpsshzNLp4pja
Xa1eM7J6auPPT3VvjIu7srVOWReXzZAjqsZPh/KzUldaPhbJ8Vxg47JlHuDOK77r
Mw4XmQG3gAJc90kf1aVucUuQLAhylgU4w6Wwshd97DeoxvW1zR911XCq4kkETSjn
9NkxUtlXgAH0U6ywStZtPdVH5jI0SVyp7zoxj9pTPx/+kqL9Z6hNV3HL+4J0aqo5
x5z1Z+MJ5GDDIySxBccd+s9bYkdy3aG5ZKQlwDe4KhBGvGVNHLtPrZIV20CI1JjC
0+h55zNMOnR4I/R04UOeHxxPiwffwCfh4DcBqVcp0poUgCmjtCaNqB02rvE3PjGw
JydoI+Ze7PYl3viwVBIz
=c2cS
-----END PGP SIGNATURE-----



More information about the sword-devel mailing list