[sword-devel] installmgr (and xiphos) crashes (svn 2831)

Jaak Ristioja jaak at ristioja.ee
Thu Jun 27 13:33:20 MST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patch for pointer dereference issue:


https://gitorious.org/~jotik/sword-svn-mirrors/jotiks-sword-trunk/commit/1b8ab91ff994c8584d6c61cb7d334273732d8216

Patch for buffer overflow:


https://gitorious.org/~jotik/sword-svn-mirrors/jotiks-sword-trunk/commit/4a261b27a7bec9d9300da6c357666a3851f3d34e

There you go! Took me half an hour.

Blessings,
Jaak

On 27.06.2013 22:41, Mark Trompell wrote:
> I see. I'll try to come up with a better patch on Monday. I won't
> have time earlier. Blessings Mark --- Ursprüngl. Mitteilung --- 
> Von: Jaak Ristioja Gesend.:  27.06.2013, 16:15 An:
> sword-devel at crosswire.org Betreff: Re: [sword-devel] installmgr
> (and xiphos) crashes (svn 2831)
> 
> 
> I think you only fixed pBuf not being set to NULL prematurely. But
> this:
> 
> memset(possibleName, 0, 400);
> 
> doesn't help. The sprintf function always writes a terminating \0 
> character. The problem is not that a \0 character is not written, 
> because it is written (unless a memory error occurs first). The 
> problem is that if possibleNameLength > 399 then it writes the 
> characters (including the terminating \0 character) past the end
> of the possibleName buffer, corrupting memory, potentially outside
> of the virtual address space of the program (usually triggering the
> OS to kill the process with a segfault or something).
> 
> The memset call is not needed, but it should be checked that 
> possibleNameLength < 400 (strictly "less-than"). Otherwise
> 
> sprintf(possibleName, "%.*s", possibleNameLength, pBuf);
> 
> is a security vulnerability. I wonder whether a CVE is required.
> 
> 
> Blessings, Jaak
> 
>  On 27.06.2013 14:45, Mark Trompell wrote:
>> Sending again with tabs instead of blancs in the first hunk
> 
>> On Thu, Jun 27, 2013 at 1:17 PM, Mark Trompell 
>> <mark at foresightlinux.org> wrote:
>>> I just fixed it :). Attached patch will initialize
>>> possibleNames with 0 bytes to make sure we always have the name
>>> 0 terminated properly. and it will move the pBuf=pBufRes into
>>> the check for ifBufRes != NULL, in case no filesize is found
>>> (because of another apache is displaying it differently)
>>> Shouldn't break existing setups.
> 
> 
> 
> 
>> _______________________________________________ sword-devel 
>> mailing list: sword-devel at crosswire.org 
>> http://www.crosswire.org/mailman/listinfo/sword-devel
>> Instructions to unsubscribe/change your settings at above page
> 
> 
> 
> _______________________________________________ sword-devel mailing
> list: sword-devel at crosswire.org 
> http://www.crosswire.org/mailman/listinfo/sword-devel Instructions
> to unsubscribe/change your settings at above page
> 
> 
> _______________________________________________ sword-devel mailing
> list: sword-devel at crosswire.org 
> http://www.crosswire.org/mailman/listinfo/sword-devel Instructions
> to unsubscribe/change your settings at above page
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iQgcBAEBAgAGBQJRzKGMAAoJEEqsYmEt1rCOKTI//ive2vm6lFnJkuBfZHBsGnSF
aSm5JAyksfatvrQ7rcFsL9WOINMAXXZW9qQ6w7PThxreEBUALuE9iSGF6RaSzWkW
Q6mBXZuX2ROHYFY9PbtfA5K6c2roNLF03o88YKafADORlCqXpgPfLsY1lL2G9q8w
LjmMOQGyCPAxzOdgr8Ll5mjWhv71X00n11Z0lK7QOct58Jj/yHTi/0/IoOdplZeo
neWK83hbo/yFlrSP37mzBvLAQKEXEHaQdHRi2bj9jL9KCT70WC0QB8BkJDGqhh70
U7IHkTBrH+AaWD0jlirFUTe6rs1jm3Zgn/mqCiM8yFb2/RBT/csn0TOpCYvLIu+9
WXTjXRn7Vix/r2c1opejigM2387rYXkhQCdQxqddqlkrO92aLKuCsZWi5mfRceYA
hBayFPUe6CHUJoQYCtvPDx9Tfcr2tgWhmyLvbQzjNqFsaVpiFGEoAltPqe6nw/9U
8WuZwQnLuAs1sM08FL18kZ2qtOFf26iSLHmJamipBork9Pd3NsJBsct4w28/3KDh
hLQD3sZ9sKWrTKNwyYY+dqXQThdMeL1zcKrjyUHnyYDnH67hwDEDGlEuvVTCzdbb
CEZ5iJvYRKQ7ylUSKWqVUa976OwRGbAoCeTsuxbCe1RTuXiVYtV9GqKo2Rbipp2e
52hHXd7RgszlVq5Wk3QdWwa7kKm8OTbKsNrMcBWlkBdTBbVlDaM8QIkmCs3ZwXEa
C6bzKX6vAqgZrjBUiZpdIfPay/8z5zzQU2I5C7wurdOGk986UdZXCr6RjYdwxoGN
yjw3uVM01RMcv3+N7X+vXyHTloaeqVaOkd2yrp6RSFA4W2V1XQE/loitxctzHEZI
k36MdLg2tRrHkBwqWdO56Fg9ogShQOK+aanq2nuou0hKNvoxkkH3QdiqL3O2JW8Z
dWilQiiuCdDPeyDxqsrO0zP4K+df+puXgisAv5561P/A+nlJvtY1TmOSNQpF5ebn
eecK94ZExoGCMJ+TgIY7KqZSKaq3FB4acxO+bbQHHvJFDaZZzr6D1uMmgUI7zr5l
u0xFqSAwggRMKB9TMjV5wG+NetfjgmaNABhCiaCHpksm+R7MJjxSArUp1fH3xUja
LpUWJuGZQM+gX/s7DzFMfBNxtjYP/uocMvx7gQFg+vd0hRrtcSM+RgTI35+2Gdm8
3xgE45j5fVSEcPOMYP6OYIR4vhL4X3aT6uZ6jntGTowErv8NLJw7LTxiCBmYx2Ij
vmJLLoQrsf0w6L7gJ2bNv6W/+p34z026m3Nh7Ue7IoFgV0mAumewSEQhPbRhfYWE
Hi0soVSMdqblYUs9+ICu06RbgJl1/p5B5uwUAJ8VmP6NPXiuf56qg4EHvOWkKMsL
uegQYdnOICyak56ZJ93MPrgFUWrukYEtqQyu6I6HQLm1TNd+DbbUIVr4b45uZH7e
iz7/ziGoaNoD08kddPfdksfcRLvHNtKrGditzs1Kr6SMFPwF4oU8BalOyqJmv2Fv
BBaIAKxhNYE8Cmkpr3ZG9bjjZThYsqBm1lJOzSzIDirlcq6H2iUkWigQrJOlBcS/
pTZA2gzG4Yxm5jMc45oKehj7CySwb2aoVPzF4ToFcUq1W4me/dH1gNPMppeM4k7w
HvLgxZm1qKunDyftzTTE9Q8958/AwifYMkVgXdXaEMDuqtIukVu3GUdTphNBZMhx
E9QDMwyw/tBzcc1BUJjYOE4yyQ7d7BiM9TbVJCDtQyOpJEuMw3APoNnJEEVwFZ70
ok+qgQ35LtEWP8dR6cwGXSXnUblCnMjmEILNinCFRVDKPe2HqetHzAAQeMhdVT5T
lA6tPW3CbnJB1notRn/DV1sDlehsyc70+2tLUPjfLADNf5aZzIkApB03aazWaei+
65GWEgURLLa+BamXMwjK6DW9xyNaWAuO20pkckMkly2Qs8kdQp96Ga5cp4dM4uTu
H0+FNkrQxLJndpzSdAuHmYoVIRT2eVBTWJN8+D/sxMXY7ILNgAioX+WZejU2tLCy
DiGBF++dPvhaGxNa7kRq9WMULj8ll8jMUM/1f7yeSk/Aajp+F5Q6PGhI6JeUooam
Z1pcbAzK2yOyrnR5MRrpgOFGvtD3OSGngHjJZj3yGuTXkzKcEZgqSZ4n+bMhivtE
nAIcnCzWvvzS+/2YNQVWR5C1KgGO4hNUUrvrRN1n2E6lx9xmDAgvV7Qj7qWFNFgx
g7SC0D2Gx8Sgc4ViuhP3KHut/v3BU33phN94HUdMbNYJUuESVaD8xM9id5VSHFQS
YrmRPnaFegzaMhE2awpGtWp3XD3giqWjWSNWRtFgVUbxX2kKxoIqMNyQDCtKaXX5
bvDSslTKI4byMaoPbOcRG1i01AwokLid4ZT5YjoqI1333VqaW3cbcnjPFTXOzPW5
B3R8u4FaarhLWCY/lxiifpXalHOYTLjucIUa5+3cJ0R+v9ak+2dsduFWj0yhdYPS
Wg5UG/VYgDn7mCXvDvHc6a8VMzQQ4POYtym4ZOZBrOctRLbLsFFVPysmD2uaKm7O
3/6futlB7ASRqunaOcNSwRKDv1Rv3mz5KZD48wEZl/5sTONjjmCWQbshmV+Rd0XH
3u9433ODZ0/A6Lq8fE6T7P3ORLDMvEcPTMFCdTpuBy2KRoMXKFRlk/4FHeOUIM/S
NoxhGFPpLpmMZAmIMPMEBiLGny8A3PWGYR0RED3Fo7IpnHB1aFFwNRtiuola0g4U
++gWf0P7CVU6lUCzkC3f
=XzwD
-----END PGP SIGNATURE-----



More information about the sword-devel mailing list