Bug#663189: buffer overflow in python-pyfribidi
Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: squeeze (6.0.5) - use target stable Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help. Please keep me in CC at all times so I can track the progress of this request. For details of this process and the rationale, please see the original announcement [1] and my blog post [2]. 0: debian-rele...@lists.debian.org 1: 201101232332.11736.th...@debian.org 2: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#663189: buffer overflow in python-pyfribidi
On Fri, Mar 09, 2012 at 12:49:11PM +0100, Ralf Schmitt wrote: upstream is pretty much dead in this case. I've published our version on PyPI. However, I didn't ask or inform the original authors about that. ---end quoted text--- Why do you include a convenience copy of fribidi source code in your pyfribidi distribution ? -- أحمد المحمودي (Ahmed El-Mahmoudy) Digital design engineer GPG KeyID: 0xEDDDA1B7 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7 signature.asc Description: Digital signature
Bug#663189: buffer overflow in python-pyfribidi
On Fri, Mar 09, 2012 at 12:49:16PM +0100, Jakub Wilk wrote: Right, 0.11 on pypi looks much saner than the current one. Thanks. ---end quoted text--- The package is ready at: http://mentors.debian.net/debian/pool/main/p/pyfribidi/pyfribidi_0.11.0-1.dsc -- أحمد المحمودي (Ahmed El-Mahmoudy) Digital design engineer GPG KeyID: 0xEDDDA1B7 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7 signature.asc Description: Digital signature
Bug#663189: buffer overflow in python-pyfribidi
أحمد المحمودي aelmahmo...@sabily.org writes: Why do you include a convenience copy of fribidi source code in your pyfribidi distribution ? just so that I can tell people to pip install pyfribidi intead of telling them to install the frididi headers first. This can easily be disabled by setting USE_SYSTEM_LIB, like in USE_SYSTEM_LIB=1 pip install pyfribidi. -- Cheers Ralf -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Bug#663189: buffer overflow in python-pyfribidi
Processing commands for cont...@bugs.debian.org: severity 663189 grave Bug #663189 [src:pyfribidi] buffer overflow in python-pyfribidi Severity set to 'grave' from 'normal' tags 663189 + confirmed security Bug #663189 [src:pyfribidi] buffer overflow in python-pyfribidi Added tag(s) confirmed and security. thanks Stopping processing here. Please contact me if you need assistance. -- 663189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663189 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#663189: buffer overflow in python-pyfribidi
Jakub Wilk jw...@debian.org writes: The reason is the following (see https://github.com/pediapress/pyfribidi/issues/2): fribidi_utf8_to_unicode consumes at most 3 bytes for a single unicode character, i.e. it does not handle unicode character above 0x. As far as I can see this is not true. In Debian, we allocate 4 bytes per characters. (An upstream version, which the Debian package is based on, is completely broken in this respect: it allocates a buffer of static size. See bug #570068) upstream is pretty much dead in this case. I've published our version on PyPI. However, I didn't ask or inform the original authors about that. For a 4 byte utf-8 sequence it will generate 2 unicode characters, which overflows the logical buffer. I'm confused. What is it in your sentence? Why 2 Unicode characters? it refers to the 4 byte utf-8 sequence. here's the inner loop of fribidi_utf8_to_unicode from fribidi-char-sets-utf8.c: , | length = 0; | while ((FriBidiStrIndex) (s - t) len) | { | register unsigned char ch = *s; | if (ch = 0x7f) /* one byte */ | { | *us++ = *s++; | } | else if (ch = 0xdf)/* 2 byte */ | { | *us++ = ((*s 0x1f) 6) + (*(s + 1) 0x3f); | s += 2; | } | else/* 3 byte */ | { | *us++ = | ((int) (*s 0x0f) 12) + | ((*(s + 1) 0x3f) 6) + (*(s + 2) 0x3f); | s += 3; | } | length++; | } ` Assume you have a 4-byte utf-8 sequence. One loop step consumes a maximum of 3 bytes of that 4-byte sequence (there's no 4 byte case), leaving 1-byte of that sequence for further processing. this 1 byte will generate another unicode character. pyfribidi uses the length of the python unicode string as buffer size, which is less than what the fribidi_utf8_to_unicode generates. and there you have your buffer overflow. to confirm the issue, you can add an assert and check that fribidi_utf8_to_unicode's return value (the length of the string) equals unicode_length. Anyway I tried to double the buffer size (8 bytes per characters of original string) but this didn't fix the crash. So likely the problem lies somewhere else. I'm pretty sure my analysis is correct and I'm not so quite sure what you did here. -- Cheers Ralf -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#663189: buffer overflow in python-pyfribidi
* Ralf Schmitt r...@systemexit.de, 2012-03-09, 10:11: It's fixed with https://github.com/pediapress/pyfribidi/commit/d2860c655357975e7b32d84e6b45e98f0dcecd7a (or with pyfribidi 0.11 from pypi) Right, 0.11 on pypi looks much saner than the current one. Thanks. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#663189: buffer overflow in python-pyfribidi
* Ralf Schmitt r...@systemexit.de, 2012-03-09, 12:49: fribidi_utf8_to_unicode consumes at most 3 bytes for a single unicode character, i.e. it does not handle unicode character above 0x. Now I woke up I finally understand what you meant here. :) Sorry for the noise. here's the inner loop of fribidi_utf8_to_unicode from fribidi-char-sets-utf8.c: , | length = 0; | while ((FriBidiStrIndex) (s - t) len) | { | register unsigned char ch = *s; | if (ch = 0x7f) /* one byte */ | { | *us++ = *s++; | } | else if (ch = 0xdf) /* 2 byte */ | { | *us++ = ((*s 0x1f) 6) + (*(s + 1) 0x3f); | s += 2; | } | else/* 3 byte */ | { | *us++ = | ((int) (*s 0x0f) 12) + | ((*(s + 1) 0x3f) 6) + (*(s + 2) 0x3f); | s += 3; | } | length++; | } ` Ugh. That's so broken... -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org