Bug#507587: CVE-2008-5282: multiple buffer overflows

Tue, 23 Dec 2008 07:42:13 -0800 

Hi,
CCed upstream.

I am not sure if it is enough to just fix this CVE id.
Browsing a bit in the code reveals quite a lot of additional 
buffer overflows.

From HTMLactions.c:
1264 void CheckUniqueName (Element el, Document doc, Attribute attr,
1265                       AttributeType attrType)
1266 {
1267 #define MaxMsgLength 200
1268   ElementType    elType;
1269   int            lineNum, length;
1270   char          *name;
1271   char           msgBuffer[MaxMsgLength];
1272 
1273   elType = TtaGetElementType (el);
1274   if (attr)
1275     {
1276       name = (char*)GetXMLAttributeName (attrType, elType, doc);
1277       if (!strcmp (name, "id"))
1278         {
1279           if (!TtaIsValidID (attr, FALSE))
1280             {
1281               length = TtaGetTextAttributeLength (attr) + 1;
1282               name = (char *)TtaGetMemory (length);
1283               TtaGiveTextAttributeValue (attr, name, &length);
1284               sprintf (msgBuffer, "Invalid ID value \"%s\"", name);

This can result in a stack-based buffer overflow if !TtaIsValidID (attr, FALSE) 
is true.
This function is called if an attribute value is duplicated to generate an 
error message.
TtaGetTextAttributeLength() returns the length of the attribute, the return 
value here has
no upper limit. TtaGiveTextAttributeValue() then copies the attribute value 
into the allocated name 
buffer and msgBuffer will be overflowed (this also sets the length again to the 
read bytes).
Note that MaxMsgLength is defined as 200 and that a check for !name would also 
not hurt.

Same problem for the else case:
1292           else
1293             {
1294              // this function is optional because it increases the loading 
time
1295               if (Check_read_ids && MakeUniqueName (el, doc, FALSE, FALSE))
1296                 {
1297                   length = TtaGetTextAttributeLength (attr) + 1;
1298                   name = (char *)TtaGetMemory (length);
1299                   TtaGiveTextAttributeValue (attr, name, &length);
1300                   sprintf (msgBuffer, "Duplicate ID value \"%s\"", name)

Similar things are done at other places. Looking on the overall code quality I
suggest we remove amaya from lenny unless someone is willing to do a complete 
audit.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpxWc18ByOhA.pgp
Description: PGP signature

Reply via email to