128))

Debian Bug Tracking System Sun, 04 Mar 2007 02:50:30 -0800

Your message dated Sun, 04 Mar 2007 10:32:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#404723: fixed in neon26 0.26.3-1
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: libneon26
Version: 0.26.2-3mdx1
Severity: grave
Tags: patch

Hi,

libneon26 ne_uri_parse() has severe problems parsing uris with non-ASCII
characters. Real world case is trying to save a document (example attached)
with openoffice.org-writer containing a hyperlink with non-ascii characters
in the web link. The above action leads to OOo segfault. Consider the gdb
session bellow (reproducable with the attached document, type a character
and attempt to resave the document):

(gdb) bt
#0  0x00002aaab35229e5 in ne_uri_parse (uri=0x1fd1328 "http://Ä\205.com/";, 
parsed=0x7fffc5e09660) at /tmp/buildd/neon26-0.26.2/src/ne_uri.c:179
#1  0x00002aaab33ddb4e in NeonUri () from 
/usr/lib/openoffice/program/libucpdav1.so
#2  0x00002aaab33b9a2a in Content () from 
/usr/lib/openoffice/program/libucpdav1.so
#3  0x00002aaab33b5a12 in webdav_ucp::ContentProvider::queryContent () from 
/usr/lib/openoffice/program/libucpdav1.so
#4  0x00002aaaab2602c3 in UniversalContentBroker::queryContent () from 
/usr/lib/openoffice/program/libucb1.so
#5  0x00002b95e55e8412 in (anonymous namespace)::normalizePrefix () from 
/usr/lib/openoffice/program/libsvt680lx.so
#6  0x00002b95e55e8972 in (anonymous namespace)::normalize () from 
/usr/lib/openoffice/program/libsvt680lx.so
#7  0x00002b95e55e9540 in URIHelper::normalizedMakeRelative () from 
/usr/lib/openoffice/program/libsvt680lx.so
#8  0x00002b95e55e9de3 in URIHelper::simpleNormalizedMakeRelative () from 
/usr/lib/openoffice/program/libsvt680lx.so
#9  0x00002aaaadeda6e2 in SvXMLExport::GetRelativeReference () from 
/usr/lib/openoffice/program/libxo680lx.so
#10 0x00002aaaadfc50fb in XMLTextParagraphExport::addHyperlinkAttributes () 
from /usr/lib/openoffice/program/libxo680lx.so
#11 0x00002aaaadfcea40 in XMLTextParagraphExport::exportTextRange () from 
/usr/lib/openoffice/program/libxo680lx.so
#12 0x00002aaaadfd35f5 in XMLTextParagraphExport::exportTextRangeEnumeration () 
from /usr/lib/openoffice/program/libxo680lx.so
#13 0x00002aaaadfd401b in XMLTextParagraphExport::exportParagraph () from 
/usr/lib/openoffice/program/libxo680lx.so
#14 0x00002aaaadfd2e2b in XMLTextParagraphExport::exportTextContentEnumeration 
() from /usr/lib/openoffice/program/libxo680lx.so
#15 0x00002aaaadfd54b2 in XMLTextParagraphExport::exportText () from 
/usr/lib/openoffice/program/libxo680lx.so
#16 0x00002aaab05af7a4 in SwXMLExport::_ExportContent () from 
/usr/lib/openoffice/program/libsw680lx.so
#17 0x00002aaaadedca6f in SvXMLExport::ImplExportContent () from 
/usr/lib/openoffice/program/libxo680lx.so
#18 0x00002aaaadee9ede in SvXMLExport::exportDoc () from 
/usr/lib/openoffice/program/libxo680lx.so
#19 0x00002aaab05ad8f8 in SwXMLExport::exportDoc () from 
/usr/lib/openoffice/program/libsw680lx.so
#20 0x00002aaaadedb220 in SvXMLExport::filter () from 
/usr/lib/openoffice/program/libxo680lx.so
#21 0x00002aaab05a96a3 in SwXMLWriter::WriteThroughComponent () from 
/usr/lib/openoffice/program/libsw680lx.so
#22 0x00002aaab05a9d4a in SwXMLWriter::WriteThroughComponent () from 
/usr/lib/openoffice/program/libsw680lx.so
#23 0x00002aaab05ab4af in SwXMLWriter::_Write () from 
/usr/lib/openoffice/program/libsw680lx.so
#24 0x00002aaab05ac389 in SwXMLWriter::WriteMedium () from 
/usr/lib/openoffice/program/libsw680lx.so
#25 0x00002aaab04e3f58 in StgWriter::Write () from 
/usr/lib/openoffice/program/libsw680lx.so
#26 0x00002aaab05a903b in SwXMLWriter::Write () from 
/usr/lib/openoffice/program/libsw680lx.so
#27 0x00002aaab04248f3 in SwWriter::Write () from 
/usr/lib/openoffice/program/libsw680lx.so
#28 0x00002aaab05f19b9 in SwDocShell::SaveAs () from 
/usr/lib/openoffice/program/libsw680lx.so
#29 0x00002aaaab8e8f67 in SfxObjectShell::SaveAsOwnFormat () from 
/usr/lib/openoffice/program/libsfx680lx.so
#30 0x00002aaaab8f77ad in SfxObjectShell::SaveTo_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#31 0x00002aaaab8f92b0 in SfxObjectShell::DoSave_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#32 0x00002aaaab8f9668 in SfxObjectShell::Save_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#33 0x00002aaaab9509b7 in SfxBaseModel::storeSelf () from 
/usr/lib/openoffice/program/libsfx680lx.so
#34 0x00002aaaab9688cf in SfxStoringHelper::GUIStoreModel () from 
/usr/lib/openoffice/program/libsfx680lx.so
#35 0x00002aaaab900ccc in SfxObjectShell::ExecFile_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#36 0x00002aaaab9baeff in SfxDispatcher::Call_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#37 0x00002aaaab9bb651 in SfxDispatcher::PostMsgHandler () from 
/usr/lib/openoffice/program/libsfx680lx.so
#38 0x00002aaaab9e702a in SfxHintPoster::LinkStubDoEvent_Impl () from 
/usr/lib/openoffice/program/libsfx680lx.so
#39 0x00002b95e5042958 in ImplWindowFrameProc () from 
/usr/lib/openoffice/program/libvcl680lx.so
#40 0x00002b95eb34ad45 in SalDisplay::DispatchInternalEvent () from 
/usr/lib/openoffice/program/libvclplug_gen680lx.so
#41 0x00002b95eb34ad6e in SalX11Display::Yield () from 
/usr/lib/openoffice/program/libvclplug_gen680lx.so
#42 0x00002b95eb34ab57 in DisplayYield () from 
/usr/lib/openoffice/program/libvclplug_gen680lx.so
#43 0x00002b95eb342c3f in SalXLib::Yield () from 
/usr/lib/openoffice/program/libvclplug_gen680lx.so
#44 0x00002b95e4e7a330 in Application::Yield () from 
/usr/lib/openoffice/program/libvcl680lx.so
#45 0x00002b95e4e7a3c7 in Application::Execute () from 
/usr/lib/openoffice/program/libvcl680lx.so
#46 0x0000000000429020 in desktop::Desktop::Main ()
#47 0x00002b95e4e7fcc4 in ImplSVMain () from 
/usr/lib/openoffice/program/libvcl680lx.so
#48 0x00002b95e4e7fdb5 in SVMain () from 
/usr/lib/openoffice/program/libvcl680lx.so
#49 0x000000000041c02a in sal_main ()
#50 0x00002b95e7a564ca in __libc_start_main () from /lib/libc.so.6
#51 0x000000000041bf5a in _start () at ../sysdeps/x86_64/elf/start.S:113
(gdb) info locals
pa = 0x1fd1335 "/"
p = 0x1fd132f "Ä\205.com/"
s = 0x1fd132f "Ä\205.com/"
(gdb) list
174             while (*pa != '/' && *pa != '\0')
175                 pa++;
176             /* => pa = path-abempty */
177
178             p = s;
179             while (p < pa && uri_lookup(*p) & URI_USERINFO)
180                 p++;
181
182             if (*p == '@') {
183                 parsed->userinfo = ne_strndup(s, p - s);
(gdb) p uri_chars[(unsigned)*p]
Cannot access memory at address 0x2aaeb3532fb0
(gdb) p (unsigned)*p
$1 = 4294967236
(gdb) ptype unsigned
type = unsigned int

uri_lookup macro should cast the value to unsigned char instead of
unsigned because unsigned implies unsigned int. The patch fixing this
bug is attached.

In addition, my patch adds DEB_BUILD_OPTIONS noopt support which was
useful while debugging this bug.

P.S. For some reason, OOo does not crash in my i386 chroot. I don't know
why since the bug is clearly arch independent.


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=lt_LT, LC_CTYPE=lt_LT (charmap=ISO-8859-13)

Versions of packages libneon26 depends on:
ii  libc6    2.3.6.ds1-9                     GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library
ii  libkrb53 1.4.4-5                         MIT Kerberos runtime libraries
ii  libssl0. 0.9.8c-4                        SSL shared libraries
ii  libxml2  2.6.27.dfsg-1                   GNOME XML library
ii  zlib1g   1:1.2.3-13                      compression library - runtime

libneon26 recommends no packages.

-- no debconf information

ne_uri_parser_segfault_testcase.odt
Description: Zip archive

diff -uNr neon26-0.26.2/debian/changelog neon26-0.26.2.new/debian/changelog
--- neon26-0.26.2/debian/changelog      2006-12-27 22:43:11.000000000 +0200
+++ neon26-0.26.2.new/debian/changelog  2006-12-27 22:18:19.000000000 +0200
@@ -1,3 +1,12 @@
+neon26 (0.26.2-3mdx1) unstable; urgency=high
+
+  * Support "noopt" in DEB_BUILD_OPTIONS
+  * src/ne_uri.c uri_lookup(ch) macro: (unsigned) == (unsigned int), thus if
+    the macro is given a negative argument, the array is referenced beyond
+    bounds resulting in a SIGSERV.
+
+ -- Modestas Vainius <[EMAIL PROTECTED]>  Wed, 27 Dec 2006 21:32:55 +0200
+
 neon26 (0.26.2-3) unstable; urgency=medium
 
   * Fix FTBFS caused by my previous upload, patch didn't apply on 64 bit
diff -uNr neon26-0.26.2/debian/rules neon26-0.26.2.new/debian/rules
--- neon26-0.26.2/debian/rules  2006-12-27 22:43:11.000000000 +0200
+++ neon26-0.26.2.new/debian/rules      2006-12-27 21:32:45.000000000 +0200
@@ -16,7 +16,11 @@
                --enable-threadsafe-ssl=posix   \
                --with-gssapi                   \
                --with-libxml2
-CFLAGS="-O2 -g"
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+    CFLAGS="-O0 -g -Wall"
+else
+    CFLAGS="-O2 -g"
+endif
 
 ${BUILDDIR}/neon-openssl/config.status: configure
        cp  /usr/share/misc/config.guess \
diff -uNr neon26-0.26.2/src/ne_uri.c neon26-0.26.2.new/src/ne_uri.c
--- neon26-0.26.2/src/ne_uri.c  2006-10-05 15:40:46.000000000 +0300
+++ neon26-0.26.2.new/src/ne_uri.c      2006-12-27 22:18:38.000000000 +0200
@@ -110,7 +110,7 @@
 /*   Fx */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT
 };
 
-#define uri_lookup(ch) (uri_chars[(unsigned)ch])
+#define uri_lookup(ch) (uri_chars[(unsigned char)ch])
 
 char *ne_path_parent(const char *uri) 
 {

--- End Message ---

--- Begin Message ---

Source: neon26
Source-Version: 0.26.3-1

We believe that the bug you reported is fixed in the latest version of
neon26, which is due to be installed in the Debian FTP archive:

libneon26-dbg_0.26.3-1_i386.deb
  to pool/main/n/neon26/libneon26-dbg_0.26.3-1_i386.deb
libneon26-dev_0.26.3-1_i386.deb
  to pool/main/n/neon26/libneon26-dev_0.26.3-1_i386.deb
libneon26-gnutls-dbg_0.26.3-1_i386.deb
  to pool/main/n/neon26/libneon26-gnutls-dbg_0.26.3-1_i386.deb
libneon26-gnutls-dev_0.26.3-1_i386.deb
  to pool/main/n/neon26/libneon26-gnutls-dev_0.26.3-1_i386.deb
libneon26-gnutls_0.26.3-1_i386.deb
  to pool/main/n/neon26/libneon26-gnutls_0.26.3-1_i386.deb
libneon26_0.26.3-1_i386.deb
  to pool/main/n/neon26/libneon26_0.26.3-1_i386.deb
neon26_0.26.3-1.diff.gz
  to pool/main/n/neon26/neon26_0.26.3-1.diff.gz
neon26_0.26.3-1.dsc
  to pool/main/n/neon26/neon26_0.26.3-1.dsc
neon26_0.26.3.orig.tar.gz
  to pool/main/n/neon26/neon26_0.26.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[EMAIL PROTECTED]> (supplier of updated neon26 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  3 Mar 2007 09:33:23 +0000
Source: neon26
Binary: libneon26 libneon26-gnutls-dbg libneon26-gnutls-dev libneon26-gnutls 
libneon26-dbg libneon26-dev
Architecture: source i386
Version: 0.26.3-1
Distribution: unstable
Urgency: low
Maintainer: Laszlo Boszormenyi (GCS) <[EMAIL PROTECTED]>
Changed-By: Laszlo Boszormenyi (GCS) <[EMAIL PROTECTED]>
Description: 
 libneon26  - An HTTP and WebDAV client library
 libneon26-dbg - Detached symbols for libneon26
 libneon26-dev - Header and static library files for libneon26
 libneon26-gnutls - An HTTP and WebDAV client library (GnuTLS enabled)
 libneon26-gnutls-dbg - Detached symbols for libneon26 (GnuTLS enabled)
 libneon26-gnutls-dev - Header and static library files for libneon26 (GnuTLS 
enabled)
Closes: 404723 413194
Changes: 
 neon26 (0.26.3-1) unstable; urgency=low
 .
   * New upstream release to officially fix CVE-2007-0157 (closes: 404723).
   * Fix Kerberos authentication (closes: #413194).
Files: 
 565cb48d43d544d37e9479c6118c32ed 781 net optional neon26_0.26.3-1.dsc
 6e52cd9c03e372026d6eccbfb80f09ef 789289 net optional neon26_0.26.3.orig.tar.gz
 66fb80089ed3af17d2f5ffe0a2c6584d 7382 net optional neon26_0.26.3-1.diff.gz
 6f1a075a98bda7e426a9807adbf5d603 119754 libs optional 
libneon26_0.26.3-1_i386.deb
 d6d19544716728f3e5b4c11718815ae9 348874 libdevel optional 
libneon26-dev_0.26.3-1_i386.deb
 08bfb5b5219e578cb5e42ac629416362 158602 libdevel extra 
libneon26-dbg_0.26.3-1_i386.deb
 82fe0336046b3f4c9e4258f77a0545c6 94946 libs optional 
libneon26-gnutls_0.26.3-1_i386.deb
 7ba55a3f5406420ca63c133b8aee54dd 320898 libdevel optional 
libneon26-gnutls-dev_0.26.3-1_i386.deb
 d99e93ec33fcd70ba0bdbf1820e3bd76 138694 libdevel extra 
libneon26-gnutls-dbg_0.26.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF6pxjMDatjqUaT90RApjpAJ9wiHYwmyHu/RE9C4WWjCfU/RLm1QCgmvEl
BpNr25I7ilc1pao/u2CJXh8=
=KGTQ
-----END PGP SIGNATURE-----

--- End Message ---

Bug#404723: marked as done (src/ne_uri.c:ne_uri_parse():179 (uri_lookup(x) macro) - SIGSERV when parsing a non-ASCII character (>128))

Reply via email to