Article 537 at 101/06/22 04:05:02 From: ukai@debian.or.jp Subject: [w3m-dev-en 00537] Re: mime header decode vulnerability

Index: [Article Count Order] [Thread]
Date:  Fri, 22 Jun 2001 04:02:51 +0900
From:  Fumitoshi UKAI <ukai@debian.or.jp>
Subject:  [w3m-dev-en 00537] Re: mime header decode vulnerability
To:  w3m-dev-en@mi.med.tohoku.ac.jp
Message-Id:  <87g0ctmzac.wl@mistral.ukai.org>
In-Reply-To:  <20010621152925.W29398@suse.de>
References:  <20010621152925.W29398@suse.de>
X-Mail-Count: 00537

Hi,

At Thu, 21 Jun 2001 15:29:26 +0200,
Peter Poeml wrote:

> on the japanese list there was the mail [w3m-dev 02066] from Akinori Ito
> which described a buffer overrun vulnerability that allows arbitrary
> code to be executed in the browser by a malformed URL, or could lead to a
> segfault. 
> 
> In another mail [02067], as far as I can tell (a friend translated it
> for me), Kiyokazu SUTO suggested a 'cleanup' or something of the patch,
> regarding the *p variable. 
> 
> This is the patch:
> 
> --- mimehead.c.org      Thu Jun 14 19:40:37 2001
> +++ mimehead.c  Thu Jun 14 19:46:26 2001
> @@ -166,21 +166,21 @@
>  Str
>  decodeWord(char **ow)
>  {
> -    char charset[32];
>      char *p, *w = *ow;
>      char method;
>      Str a = Strnew();
> +    Str charset = Strnew();
> 
>      if (*w != '=' || *(w + 1) != '?')
>         goto convert_fail;
>      w += 2;
> -    for (p = charset; *w != '?'; w++) {
> +    for (; *w != '?'; w++) {
>         if (*w == '\0')
>             goto convert_fail;
> -       *(p++) = *w;
> +       Strcat_char(charset,*w);
>      }
>      *p = '\0';
> -    if (strcasecmp(charset, J_CHARSET) != 0) {
> +    if (Strcasecmp_charp(charset, J_CHARSET) != 0) {
>         /* NOT ISO-2022-JP encoding ... don't convert */
>         goto convert_fail;
>      }
> 
> 
> Can you tell me if this patch is appropriate as is, or if something
> needs to be done? I'd like to provide a security update for all
> distributions of SuSE Linux as soon as possible. 

With this patch, *p = '\0' before strcasecmp/Strcasecmp_charp line
would cause error/segfault or so, because p is not initialized at 
this point, so it will write '\0' in random memory address.
In [02067], Kiyokazu SUTO said this "*p = '\0'" line should be removed
from here.

So, the patch will be:

--- mimehead.c.orig	Wed Jun 20 01:40:37 2001
+++ mimehead.c	Wed Jun 20 01:41:41 2001
@@ -166,21 +166,20 @@
 Str
 decodeWord(char **ow)
 {
-    char charset[32];
     char *p, *w = *ow;
     char method;
     Str a = Strnew();
+    Str charset = Strnew();
 
     if (*w != '=' || *(w + 1) != '?')
 	goto convert_fail;
     w += 2;
-    for (p = charset; *w != '?'; w++) {
+    for (; *w != '?'; w++) {
 	if (*w == '\0')
 	    goto convert_fail;
-	*(p++) = *w;
+	Strcat_char(charset,*w);
     }
-    *p = '\0';
-    if (strcasecmp(charset, J_CHARSET) != 0) {
+    if (Strcasecmp_charp(charset, J_CHARSET) != 0) {
 	/* NOT ISO-2022-JP encoding ... don't convert */
 	goto convert_fail;
     }


This patch is included w3m 0.2.1-4.deb's source package.

Regards,
Fumitoshi UKAI
[Next]