tags 372891 confirmed
thanks
On Mon, 12 Jun 2006 07:02:12 -0500
Alec Berryman <[EMAIL PROTECTED]> wrote:
> Package: sylpheed-claws
> Severity: important
> Tags: security patch
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2006-2920: "Sylpheed-Claws before 2.2.2 allows remote attackers to
> bypass the URI check functionality and makes it easier to conduct
> phishing attacks via a URI that begins with a space character."
>
> The FrSIRT notice incorrectly lists fixed files; you'll need at least
> 1.36.2.64 of src/common/utils.c [1] and 1.96.2.115 of src/textview.c
> [2].
These are patches for the GTK2 version, which doesn't apply to
sylpheed-claws. Attached my proposed patch to solve this, please review.
> Please mention the CVE in your changelog. Versions in sarge and woody
> appear vulnerable.
The patch applies succesfuly also to sarge version, so a sarge security
upload can be made. I don't think woody version sports this feature, anyway
I'll check it, because woody security support doesn't end until the end of
this month... :)
> [1]
> http://cvs.sunsite.dk/viewcvs.cgi/sylpheedclaws/sylpheed-claws/src/common/utils.c.diff?r1=1.36.2.63&r2=1.36.2.64&only_with_tag=gtk2
> [2]
> http://cvs.sunsite.dk/viewcvs.cgi/sylpheedclaws/sylpheed-claws/src/textview.c.diff?r1=1.96.2.114&r2=1.96.2.115&only_with_tag=gtk2
regards,
--
Ricardo Mones
~
RTFM - "Read The Manual" (The 'F' is silent). Usually a very good
idea. Bjarne Stroustrup
diff -urN sylpheed-claws-1.0.5.orig/src/common/utils.c sylpheed-claws-1.0.5/src/common/utils.c
--- sylpheed-claws-1.0.5.orig/src/common/utils.c 2005-06-27 13:50:13.000000000 +0200
+++ sylpheed-claws-1.0.5/src/common/utils.c 2006-06-13 00:24:58.000000000 +0200
@@ -1510,6 +1510,8 @@
gboolean is_uri_string(const gchar *str)
{
+ while (str && *str && g_ascii_isspace(*str))
+ str++;
return (g_strncasecmp(str, "http://";, 7) == 0 ||
g_strncasecmp(str, "https://";, 8) == 0 ||
g_strncasecmp(str, "ftp://";, 6) == 0 ||
@@ -1518,6 +1520,8 @@
gchar *get_uri_path(const gchar *uri)
{
+ while (uri && *uri && g_ascii_isspace(*uri))
+ uri++;
if (g_strncasecmp(uri, "http://";, 7) == 0)
return (gchar *)(uri + 7);
else if (g_strncasecmp(uri, "https://";, 8) == 0)
@@ -1536,6 +1540,8 @@
gchar *dec = decoded_uri;
const gchar *enc = encoded_uri;
+ while (enc && g_ascii_isspace(*enc))
+ enc++;
while (*enc) {
if (*enc == '%') {
enc++;
diff -urN sylpheed-claws-1.0.5.orig/src/textview.c sylpheed-claws-1.0.5/src/textview.c
--- sylpheed-claws-1.0.5.orig/src/textview.c 2005-06-27 13:50:13.000000000 +0200
+++ sylpheed-claws-1.0.5/src/textview.c 2006-06-13 01:08:31.000000000 +0200
@@ -625,6 +625,8 @@
* if still inside an <a>, but already parsed past HREF */
str = strtok(str, " ");
if (str) {
+ while (str && *str && g_ascii_isspace(*str))
+ str++;
parser->href = g_strdup(str);
/* the URL may (or not) be followed by the
* referenced text */
@@ -669,9 +671,13 @@
g_return_val_if_fail(ep != NULL, FALSE);
*bp = scanpos;
+ ep_ = scanpos;
+
+ while (ep_ && g_ascii_isspace(*ep_))
+ ep_++;
/* find end point of URI */
- for (ep_ = scanpos; *ep_ != '\0'; ep_++) {
+ for (; *ep_ != '\0'; ep_++) {
if (!isgraph(*(const guchar *)ep_) ||
!IS_ASCII(*(const guchar *)ep_) ||
strchr("()<>\"", *ep_))
@@ -700,6 +706,8 @@
static gchar *make_uri_string(const gchar *bp, const gchar *ep)
{
+ while (bp && *bp && g_ascii_isspace(*bp))
+ bp++;
return g_strndup(bp, ep - bp);
}
@@ -954,6 +962,8 @@
gchar *tmp;
gchar *result;
+ while (bp && *bp && g_ascii_isspace(*bp))
+ bp++;
tmp = g_strndup(bp, ep - bp);
result = g_strconcat("mailto:", tmp, NULL);
g_free(tmp);
@@ -967,6 +977,8 @@
gchar *tmp;
gchar *result;
+ while (bp && *bp && g_ascii_isspace(*bp))
+ bp++;
tmp = g_strndup(bp, ep - bp);
result = g_strconcat("http://";, tmp, NULL);
g_free(tmp);
