Bug#464173: marked as done (libxml2: xmlNanoHTTPMethod receive a SIGSEGV connecting to a port != 80)

Wed, 05 Mar 2008 15:13:07 -0800 

Your message dated Wed, 05 Mar 2008 22:47:07 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#464173: fixed in libxml2 2.6.31.dfsg-2
has caused the Debian Bug report #464173,
regarding libxml2: xmlNanoHTTPMethod receive a SIGSEGV connecting to a port != 
80
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
464173: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464173
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: libxml2
Version: 2.6.31.dfsg-1
Severity: important


If you try to use xmlNanoHTTPMethod with an url containing a port
different than 80 a buffer overflow can cause a SIGSEGV. I found the
bug using the nd utility to connect to a local zope server. 

Building both nd and libxml2 without optimization, with debug symbols
and linking with efence, the gdb backtrace is:

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0xb7c006b0 (LWP 8415)]
    0xb7cbab91 in vsnprintf () from /lib/libc.so.6
    (gdb) bt
    #0  0xb7cbab91 in vsnprintf () from /lib/libc.so.6
    #1  0xb7c9f2d5 in snprintf () from /lib/libc.so.6
    #2  0xb7e4f065 in xmlNanoHTTPMethodRedir__internal_alias (URL=0xbf84e886 
"http://localhost:1980/a/test-1";,    method=0x804e564 "GET", input=0x0, 
contentType=0xbf84c1a8,redir=0x0,headers=0x0, ilen=0) at nanohttp.c:1388
    #3  0xb7e4f75c in xmlNanoHTTPMethod__internal_alias (URL=0xbf84e886 
"http://localhost:1980/a/test-1";,    method=0x804e564 "GET", input=0x0, 
contentType=0xbf84c1a8,headers=0x0,ilen=0) at nanohttp.c:1519
    #4  0x08049dad in ndHTTPMethod (URL=0xbf84e886 
"http://localhost:1980/a/test-1";, auth=0xb7b01ff0,    method=0x804e564 "GET", 
input=0x0, contentType=0xbf84c1a8,headers=0x0,ilen=0) at nd.c:383
    #5  0x0804bd93 in ndGetPrint (url=0xbf84e886 
"http://localhost:1980/a/test-1",auth=0xb7b01ff0, ct_return=0xbf84c604,    
outfp=0xb7da14e0) at nd.c:1469
    #6  0x0804d709 in main (argc=2, argv=0xbf84c754) at main.c:385
    
The bug is in nanohttp.c, lines 1367-1374:

   1367      if (ctxt->port == 80) {
   1368          p += snprintf( p, blen - (p - bp), " HTTP/1.0\r\nHost: %s\r\n",
   1369                      ctxt->hostname);
   1370      } else {
   1371          p += snprintf( p, blen - (p - bp), " HTTP/1.0\r\nHost: 
%s:%d\r\n",
   1372                      ctxt->hostname, ctxt->port);
   1373      }

the bp buffer is not large enough to store also the ":%d" fmt for the
port specification (in the "else" block). You should probably change
the line

   1338      blen += strlen(method) + strlen(ctxt->path) + 24;

with something like:

   blen += strlen(method) + strlen(ctxt->path) + 30;

or check the number of digits needed to store also the port number, or
whatever...

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (600, 'testing'), (500, 'stable'), (300, 'unstable'), (200, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22.9-mactel (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libxml2 depends on:
ii  libc6                  2.7-6             GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-11 compression library - runtime

Versions of packages libxml2 recommends:
ii  xml-core                      0.11       XML infrastructure and XML catalog

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: libxml2
Source-Version: 2.6.31.dfsg-2

We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive:

libxml2-dbg_2.6.31.dfsg-2_amd64.deb
  to pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2_amd64.deb
libxml2-dev_2.6.31.dfsg-2_amd64.deb
  to pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2_amd64.deb
libxml2-doc_2.6.31.dfsg-2_all.deb
  to pool/main/libx/libxml2/libxml2-doc_2.6.31.dfsg-2_all.deb
libxml2-utils_2.6.31.dfsg-2_amd64.deb
  to pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2_amd64.deb
libxml2_2.6.31.dfsg-2.diff.gz
  to pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2.diff.gz
libxml2_2.6.31.dfsg-2.dsc
  to pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2.dsc
libxml2_2.6.31.dfsg-2_amd64.deb
  to pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2_amd64.deb
python-libxml2_2.6.31.dfsg-2_amd64.deb
  to pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <[EMAIL PROTECTED]> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 05 Mar 2008 23:42:37 +0100
Source: libxml2
Binary: libxml2 libxml2-utils libxml2-dev libxml2-dbg libxml2-doc python-libxml2
Architecture: source all amd64
Version: 2.6.31.dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian XML/SGML Group <[EMAIL PROTECTED]>
Changed-By: Mike Hommey <[EMAIL PROTECTED]>
Description: 
 libxml2    - GNOME XML library
 libxml2-dbg - Debugging symbols for the GNOME XML library
 libxml2-dev - Development files for the GNOME XML library
 libxml2-doc - Documentation for the GNOME XML library
 libxml2-utils - XML utilities
 python-libxml2 - Python bindings for the GNOME XML library
Closes: 442656 456653 464173
Changes: 
 libxml2 (2.6.31.dfsg-2) unstable; urgency=low
 .
   * debian/rules: Brown paper bag: uncomment $(MAKE) distclean.
     Closes: #442656.
   * xstc/Makefile.am, xstc/Makefile.in: Properly clean generated files.
   * nanohttp.c: Apply fix from svn revision 3685 to allocate enough memory
     for the Host HTTP header when containing a port number. Closes: #464173.
   * error.c: Don't grow error buffer indefinitely when vsnprintf returns -1,
     which, if it happens, on glibc-based systems, will happen indefinitely.
     Closes: #456653.
Files: 
 092234e0b58e98876a34ac0a08dc0094 912 libs optional libxml2_2.6.31.dfsg-2.dsc
 a64744552780da21d65ef442c4a0e17a 63024 libs optional 
libxml2_2.6.31.dfsg-2.diff.gz
 7a5584410049ddaeefed52edc6ebd37c 1336674 doc optional 
libxml2-doc_2.6.31.dfsg-2_all.deb
 8622ef16ea5a7f773cc099318bf2c1e1 827504 libs optional 
libxml2_2.6.31.dfsg-2_amd64.deb
 b3773e98dc85d5f4c13c7b6b79b96148 36718 text optional 
libxml2-utils_2.6.31.dfsg-2_amd64.deb
 b1b19834f4889a50f77eeb34e4cbe966 748286 libdevel optional 
libxml2-dev_2.6.31.dfsg-2_amd64.deb
 05ab7b8dde3e55c46a797c3065bc67f1 936554 libdevel extra 
libxml2-dbg_2.6.31.dfsg-2_amd64.deb
 30eee6c0cb948b62e4ad45ad6481b906 293768 python optional 
python-libxml2_2.6.31.dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHzyLn3kvaLFT9KlgRAjwoAJ45e85aINz9hnEp25HGNE9vl/gJxwCfdMa2
E9RLhS6QW8ZaNOQ2E6J+DlU=
=jRT0
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to