Bug#663189: buffer overflow in python-pyfribidi

2012-03-21 Thread Jonathan Wiltshire 
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.5) - use target stable

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-rele...@lists.debian.org
1: 201101232332.11736.th...@debian.org
2: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#663189: buffer overflow in python-pyfribidi

2012-03-10 Thread أحمد المحمودي 
On Fri, Mar 09, 2012 at 12:49:11PM +0100, Ralf Schmitt wrote:
 upstream is pretty much dead in this case. I've published our version on
 PyPI. However, I didn't ask or inform the original authors about that.
---end quoted text---

  Why do you include a convenience copy of fribidi source code in your 
  pyfribidi distribution ?


-- 
 ‎أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
 GPG KeyID: 0xEDDDA1B7
 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8  B176 BC19 6A94 EDDD A1B7


signature.asc
Description: Digital signature

Bug#663189: buffer overflow in python-pyfribidi

2012-03-10 Thread أحمد المحمودي 
On Fri, Mar 09, 2012 at 12:49:16PM +0100, Jakub Wilk wrote:
 Right, 0.11 on pypi looks much saner than the current one. Thanks.
---end quoted text---

  The package is ready at:
  http://mentors.debian.net/debian/pool/main/p/pyfribidi/pyfribidi_0.11.0-1.dsc

-- 
 ‎أحمد المحمودي (Ahmed El-Mahmoudy)
  Digital design engineer
 GPG KeyID: 0xEDDDA1B7
 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8  B176 BC19 6A94 EDDD A1B7


signature.asc
Description: Digital signature

Bug#663189: buffer overflow in python-pyfribidi

2012-03-10 Thread Ralf Schmitt 
أحمد المحمودي aelmahmo...@sabily.org writes:


   Why do you include a convenience copy of fribidi source code in your 
   pyfribidi distribution ?

just so that I can tell people to pip install pyfribidi intead of
telling them to install the frididi headers first. This can easily be
disabled by setting USE_SYSTEM_LIB, like in USE_SYSTEM_LIB=1 pip
install pyfribidi.

-- 
Cheers
Ralf



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Processed: Bug#663189: buffer overflow in python-pyfribidi

2012-03-09 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

 severity 663189 grave
Bug #663189 [src:pyfribidi] buffer overflow in python-pyfribidi
Severity set to 'grave' from 'normal'

 tags 663189 + confirmed security
Bug #663189 [src:pyfribidi] buffer overflow in python-pyfribidi
Added tag(s) confirmed and security.
 thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
663189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663189
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#663189: buffer overflow in python-pyfribidi

2012-03-09 Thread Ralf Schmitt 
Jakub Wilk jw...@debian.org writes:

The reason is the following (see
https://github.com/pediapress/pyfribidi/issues/2):

 fribidi_utf8_to_unicode consumes at most 3 bytes for a single
 unicode character, i.e. it does not handle unicode character above
 0x.

 As far as I can see this is not true. In Debian, we allocate 4 bytes
 per characters. (An upstream version, which the Debian package is
 based on, is completely broken in this respect: it allocates a buffer
 of static size. See bug #570068)

upstream is pretty much dead in this case. I've published our version on
PyPI. However, I didn't ask or inform the original authors about that.


 For a 4 byte utf-8 sequence it will generate 2 unicode characters,
 which overflows the logical buffer.

 I'm confused. What is it in your sentence? Why 2 Unicode characters?

it refers to the 4 byte utf-8 sequence.

here's the inner loop of fribidi_utf8_to_unicode from
fribidi-char-sets-utf8.c:

,
|   length = 0;
|   while ((FriBidiStrIndex) (s - t)  len)
| {
|   register unsigned char ch = *s;
|   if (ch = 0x7f) /* one byte */
|   {
| *us++ = *s++;
|   }
|   else if (ch = 0xdf)/* 2 byte */
|   {
| *us++ = ((*s  0x1f)  6) + (*(s + 1)  0x3f);
| s += 2;
|   }
|   else/* 3 byte */
|   {
| *us++ =
|   ((int) (*s  0x0f)  12) +
|   ((*(s + 1)  0x3f)  6) + (*(s + 2)  0x3f);
| s += 3;
|   }
|   length++;
| }
`

Assume you have a 4-byte utf-8 sequence. One loop step consumes a maximum of
3 bytes of that 4-byte sequence (there's no 4 byte case), leaving
1-byte of that sequence for further processing. this 1 byte will
generate another unicode character. pyfribidi uses the length of the
python unicode string as buffer size, which is less than what the
fribidi_utf8_to_unicode generates. and there you have your buffer
overflow.

to confirm the issue, you can add an assert and check that
fribidi_utf8_to_unicode's return value (the length of the string) equals
unicode_length.


 Anyway I tried to double the buffer size (8 bytes per characters of
 original string) but this didn't fix the crash. So likely the problem
 lies somewhere else.

I'm pretty sure my analysis is correct and I'm not so quite sure what
you did here.

-- 
Cheers
Ralf



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#663189: buffer overflow in python-pyfribidi

2012-03-09 Thread Jakub Wilk 

* Ralf Schmitt r...@systemexit.de, 2012-03-09, 10:11:

It's fixed with
https://github.com/pediapress/pyfribidi/commit/d2860c655357975e7b32d84e6b45e98f0dcecd7a
(or with pyfribidi 0.11 from pypi)


Right, 0.11 on pypi looks much saner than the current one. Thanks.

--
Jakub Wilk



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#663189: buffer overflow in python-pyfribidi

2012-03-09 Thread Jakub Wilk 

* Ralf Schmitt r...@systemexit.de, 2012-03-09, 12:49:
fribidi_utf8_to_unicode consumes at most 3 bytes for a single unicode 
character, i.e. it does not handle unicode character above 0x.


Now I woke up I finally understand what you meant here. :) Sorry for the 
noise.



here's the inner loop of fribidi_utf8_to_unicode from
fribidi-char-sets-utf8.c:

,
|   length = 0;
|   while ((FriBidiStrIndex) (s - t)  len)
| {
|   register unsigned char ch = *s;
|   if (ch = 0x7f)  /* one byte */
|   {
| *us++ = *s++;
|   }
|   else if (ch = 0xdf) /* 2 byte */
|   {
| *us++ = ((*s  0x1f)  6) + (*(s + 1)  0x3f);
| s += 2;
|   }
|   else/* 3 byte */
|   {
| *us++ =
|   ((int) (*s  0x0f)  12) +
|   ((*(s + 1)  0x3f)  6) + (*(s + 2)  0x3f);
| s += 3;
|   }
|   length++;
| }
`


Ugh. That's so broken...

--
Jakub Wilk



--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org