Bug#326767: Failure to use return value from realloc (!)

2005-09-26 Thread Noèl Köthe 
Am Montag, den 05.09.2005, 16:41 +0100 schrieb Ian Jackson:

> In http://bugzilla.ubuntu.com/show_bug.cgi?id=12604 a user reported a
> problem with Ubuntu's version of wget which examination of the Debian
> source shows is present there too.
> 
> Basically, three calls to xrealloc do not update the variable used to
> remember where the buffer is, which obviously breaks (and may be a
> security problem) if xrealloc moves the buffer.
> 
>  $ find wget-1.9.1 -name '*.[ch]' | xargs grep 'realloc (dest'
>  wget-1.9.1/src/log.c:   xrealloc (dest, (len *= 2 + 
> MB_CUR_MAX));
>  wget-1.9.1/src/log.c:   xrealloc (dest, (len *= 2 + 
> 4 * MB_CUR_MAX));
>  wget-1.9.1/src/log.c:   xrealloc (dest, (j + MB_CUR_MAX));
> 
> Note that this is in wget-1.9.1-12 after debian/rules build.  The bug
> was introduced in a security patch.  wget-1.10 does not have the same
> problem because it doesn't need the same security patch.
> 
> The patch I applied to the Ubuntu package is enclosed for your comfort
> and convenience.

thx for your report.
I talked to Debian security and the stable release manager and asked if
this is a security problem for Debian but the answer was:

"From a first glance I'd say no unless somebody proves otherwise."

-- 
Noèl Köthe 
Debian GNU/Linux, www.debian.org


signature.asc
Description: This is a digitally signed message part

Bug#326767: Failure to use return value from realloc (!)

2005-09-05 Thread Ian Jackson 
Package: wget
Version: 1.9.1-12
Severity: grave

In http://bugzilla.ubuntu.com/show_bug.cgi?id=12604 a user reported a
problem with Ubuntu's version of wget which examination of the Debian
source shows is present there too.

Basically, three calls to xrealloc do not update the variable used to
remember where the buffer is, which obviously breaks (and may be a
security problem) if xrealloc moves the buffer.

 $ find wget-1.9.1 -name '*.[ch]' | xargs grep 'realloc (dest'
 wget-1.9.1/src/log.c:   xrealloc (dest, (len *= 2 + 
MB_CUR_MAX));
 wget-1.9.1/src/log.c:   xrealloc (dest, (len *= 2 + 4 
* MB_CUR_MAX));
 wget-1.9.1/src/log.c:   xrealloc (dest, (j + MB_CUR_MAX));

Note that this is in wget-1.9.1-12 after debian/rules build.  The bug
was introduced in a security patch.  wget-1.10 does not have the same
problem because it doesn't need the same security patch.

The patch I applied to the Ubuntu package is enclosed for your comfort
and convenience.

Thanks,
Ian.

diff -u wget-1.9.1/debian/changelog wget-1.9.1/debian/changelog
--- wget-1.9.1/debian/changelog
+++ wget-1.9.1/debian/changelog
@@ -1,3 +1,11 @@
+wget (1.9.1-10ubuntu2.2) hoary-security; urgency=low
+
+  * Fix for broken use of realloc in security update in
+wget-filter-controls.patch.v3--multibyte-aware patch.
+Fixes ubuntu bug 12604.
+
+ -- Ian Jackson <[EMAIL PROTECTED]>  Mon,  5 Sep 2005 16:21:42 +0100
+
 wget (1.9.1-10ubuntu2.1) hoary-security; urgency=low
 
   * SECURITY UPDATE: Fix arbitrary file overwriting and code execution.
diff -u 
wget-1.9.1/debian/patches/wget-filter-controls.patch.v3--multibyte-aware 
wget-1.9.1/debian/patches/wget-filter-controls.patch.v3--multibyte-aware
--- wget-1.9.1/debian/patches/wget-filter-controls.patch.v3--multibyte-aware
+++ wget-1.9.1/debian/patches/wget-filter-controls.patch.v3--multibyte-aware
@@ -101,7 +101,7 @@
 -  dest[j++] = c;
 +  } else if (iswprint(c) || iswblank(c) || c == L'\n') {
 +  if (len - j < MB_CUR_MAX)
-+  xrealloc (dest, (len *= 2 + MB_CUR_MAX));
++  dest = xrealloc (dest, (len *= 2 + MB_CUR_MAX));
 +  j += wctomb (dest + j, c);
} else {
 -  dest[j++] = '\\';
@@ -110,7 +110,7 @@
 -  dest[j++] = '0' + (c & 7);
 +escape:
 +  if (len - j < (4 * MB_CUR_MAX))
-+  xrealloc (dest, (len *= 2 + 4 * MB_CUR_MAX));
++  dest = xrealloc (dest, (len *= 2 + 4 * 
MB_CUR_MAX));
 +  for (;ret > 0; i++, ret--) {
 +  c = (*src)[i];
 +
@@ -128,7 +128,7 @@
}
 -  dest[j] = '\0';
 +  if (len - j < MB_CUR_MAX)
-+  xrealloc (dest, (j + MB_CUR_MAX));
++  dest = xrealloc (dest, (j + MB_CUR_MAX));
 +  (void) wctomb (dest + j, L'\0');
  
xfree (*src);


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#326767: Failure to use return value from realloc (!)

2005-09-06 Thread Hrvoje Niksic 
Maybe I'm missing something, but AFAICT Debian's Wget 1.9.1 doesn't
need "escape_buffer" in log.c at all.

Wget 1.9.1-12 in stable includes my backport of 1.10's filtering of
control characters via the "escnonprint" function.  When I sent the
backport to the maintainer, I expected that he would remove the old
"fix".


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]