Date:  Thu, 21 Jun 2001 23:22:16 +0200
From:  Peter Poeml <poeml@suse.de>
Subject:  [w3m-dev-en 00538] Re: mime header decode vulnerability
To:  w3m-dev-en@mi.med.tohoku.ac.jp
Message-Id:  <20010621232215.F29398@suse.de>
In-Reply-To:  <87g0ctmzac.wl@mistral.ukai.org>; from ukai@debian.or.jp on Fri, Jun 22, 2001 at 04:02:51AM +0900
References:  <20010621152925.W29398@suse.de> <87g0ctmzac.wl@mistral.ukai.org>
X-Mail-Count: 00538

On Fri, Jun 22, 2001 at 04:02:51AM +0900, Fumitoshi UKAI wrote:
> Hi,

Hi, 

> At Thu, 21 Jun 2001 15:29:26 +0200,
> Peter Poeml wrote:
> 
> > on the japanese list there was the mail [w3m-dev 02066] from Akinori Ito
> > which described a buffer overrun vulnerability that allows arbitrary
> > code to be executed in the browser by a malformed URL, or could lead to a
> > segfault. 
> > 
> > In another mail [02067], as far as I can tell (a friend translated it
> > for me), Kiyokazu SUTO suggested a 'cleanup' or something of the patch,
> > regarding the *p variable. 
> 
> With this patch, *p = '\0' before strcasecmp/Strcasecmp_charp line
> would cause error/segfault or so, because p is not initialized at 
> this point, so it will write '\0' in random memory address.
> In [02067], Kiyokazu SUTO said this "*p = '\0'" line should be removed
> from here.
> 
> So, the patch will be:
 
[...]
 
> This patch is included w3m 0.2.1-4.deb's source package.
> 
> Regards,
> Fumitoshi UKAI

Thanks very much for your help. 

Peter

-- 
Peter Poeml
poeml@suse.de
-------------------------------------------------------------------------------
VFS: Busy inodes after unmount. Self-destruct in 5 seconds.  Have a nice day...