Bug#309586: konsole has unsafe and incorrect UTF-8 decoder

[Andrew Archibald]

Subject: konsole has unsafe and incorrect UTF-8 decoder
Package: konsole
Version: 4:3.3.2-1
Severity: normal
Catting Marcus Kuhn's UTF-8-test reveals a number of problems with 
konsole's UTF-8 decoder; it does not correctly handle malformed input.  
For example, it fails to reject "long forms" of ordinary ASCII 
characters, start bytes are always combined with following bytes even if 
the following bytes are not continuation bytes, and so on.  Some of 
these are arguably security holes (similar to the IDN issues with 
Mozilla but permitting computers to be fooled as well as humans).

The file is at
http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
(and many other places on the Web).
Andrew
-- System Information:
Debian Release: 3.1
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10.20050514
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Versions of packages konsole depends on:
ii  kdelibs4             4:3.3.2-5           KDE core libraries
ii  libart-2.0-2         2.3.17-1            Library of functions for 2D 
graphi
ii  libc6                2.3.2.ds1-21        GNU C Library: Shared 
libraries an
ii  libfam0c102          2.7.0-6             client library to control 
the FAM
ii  libgcc1              1:3.4.3-12          GCC support library
ii  libice6              4.3.0.dfsg.1-12.0.1 Inter-Client Exchange library
ii  libidn11             0.5.13-1.0          GNU libidn library, 
implementation
ii  libpng12-0           1.2.8rel-1          PNG library - runtime
ii  libqt3c102-mt        3:3.3.4-3           Qt GUI Library (Threaded 
runtime v
ii  libsm6               4.3.0.dfsg.1-12.0.1 X Window System Session 
Management
ii  libstdc++5           1:3.3.5-12          The GNU Standard C++ Library v3
ii  libx11-6             4.3.0.dfsg.1-12.0.1 X Window System protocol 
client li
ii  libxext6             4.3.0.dfsg.1-12.0.1 X Window System 
miscellaneous exte
ii  libxrender1          0.8.3-7             X Rendering Extension 
client libra
ii  libxtst6             4.3.0.dfsg.1-12.0.1 X Window System event 
recording an
ii  xlibs                4.3.0.dfsg.1-12     X Keyboard Extension (XKB) 
configu
ii  zlib1g               1:1.2.2-4           compression library - runtime

-- no debconf information

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]