Acknowledgement sent to Modestas Vainius <geromanas@mailas.com>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(full text, mbox, link).
Package: libneon26
Version: 0.26.2-3mdx1
Severity: grave
Tags: patch
Hi,
libneon26 ne_uri_parse() has severe problems parsing uris with non-ASCII
characters. Real world case is trying to save a document (example attached)
with openoffice.org-writer containing a hyperlink with non-ascii characters
in the web link. The above action leads to OOo segfault. Consider the gdb
session bellow (reproducable with the attached document, type a character
and attempt to resave the document):
(gdb) bt
#0 0x00002aaab35229e5 in ne_uri_parse (uri=0x1fd1328 "http://Ä\205.com/", parsed=0x7fffc5e09660) at /tmp/buildd/neon26-0.26.2/src/ne_uri.c:179
#1 0x00002aaab33ddb4e in NeonUri () from /usr/lib/openoffice/program/libucpdav1.so
#2 0x00002aaab33b9a2a in Content () from /usr/lib/openoffice/program/libucpdav1.so
#3 0x00002aaab33b5a12 in webdav_ucp::ContentProvider::queryContent () from /usr/lib/openoffice/program/libucpdav1.so
#4 0x00002aaaab2602c3 in UniversalContentBroker::queryContent () from /usr/lib/openoffice/program/libucb1.so
#5 0x00002b95e55e8412 in (anonymous namespace)::normalizePrefix () from /usr/lib/openoffice/program/libsvt680lx.so
#6 0x00002b95e55e8972 in (anonymous namespace)::normalize () from /usr/lib/openoffice/program/libsvt680lx.so
#7 0x00002b95e55e9540 in URIHelper::normalizedMakeRelative () from /usr/lib/openoffice/program/libsvt680lx.so
#8 0x00002b95e55e9de3 in URIHelper::simpleNormalizedMakeRelative () from /usr/lib/openoffice/program/libsvt680lx.so
#9 0x00002aaaadeda6e2 in SvXMLExport::GetRelativeReference () from /usr/lib/openoffice/program/libxo680lx.so
#10 0x00002aaaadfc50fb in XMLTextParagraphExport::addHyperlinkAttributes () from /usr/lib/openoffice/program/libxo680lx.so
#11 0x00002aaaadfcea40 in XMLTextParagraphExport::exportTextRange () from /usr/lib/openoffice/program/libxo680lx.so
#12 0x00002aaaadfd35f5 in XMLTextParagraphExport::exportTextRangeEnumeration () from /usr/lib/openoffice/program/libxo680lx.so
#13 0x00002aaaadfd401b in XMLTextParagraphExport::exportParagraph () from /usr/lib/openoffice/program/libxo680lx.so
#14 0x00002aaaadfd2e2b in XMLTextParagraphExport::exportTextContentEnumeration () from /usr/lib/openoffice/program/libxo680lx.so
#15 0x00002aaaadfd54b2 in XMLTextParagraphExport::exportText () from /usr/lib/openoffice/program/libxo680lx.so
#16 0x00002aaab05af7a4 in SwXMLExport::_ExportContent () from /usr/lib/openoffice/program/libsw680lx.so
#17 0x00002aaaadedca6f in SvXMLExport::ImplExportContent () from /usr/lib/openoffice/program/libxo680lx.so
#18 0x00002aaaadee9ede in SvXMLExport::exportDoc () from /usr/lib/openoffice/program/libxo680lx.so
#19 0x00002aaab05ad8f8 in SwXMLExport::exportDoc () from /usr/lib/openoffice/program/libsw680lx.so
#20 0x00002aaaadedb220 in SvXMLExport::filter () from /usr/lib/openoffice/program/libxo680lx.so
#21 0x00002aaab05a96a3 in SwXMLWriter::WriteThroughComponent () from /usr/lib/openoffice/program/libsw680lx.so
#22 0x00002aaab05a9d4a in SwXMLWriter::WriteThroughComponent () from /usr/lib/openoffice/program/libsw680lx.so
#23 0x00002aaab05ab4af in SwXMLWriter::_Write () from /usr/lib/openoffice/program/libsw680lx.so
#24 0x00002aaab05ac389 in SwXMLWriter::WriteMedium () from /usr/lib/openoffice/program/libsw680lx.so
#25 0x00002aaab04e3f58 in StgWriter::Write () from /usr/lib/openoffice/program/libsw680lx.so
#26 0x00002aaab05a903b in SwXMLWriter::Write () from /usr/lib/openoffice/program/libsw680lx.so
#27 0x00002aaab04248f3 in SwWriter::Write () from /usr/lib/openoffice/program/libsw680lx.so
#28 0x00002aaab05f19b9 in SwDocShell::SaveAs () from /usr/lib/openoffice/program/libsw680lx.so
#29 0x00002aaaab8e8f67 in SfxObjectShell::SaveAsOwnFormat () from /usr/lib/openoffice/program/libsfx680lx.so
#30 0x00002aaaab8f77ad in SfxObjectShell::SaveTo_Impl () from /usr/lib/openoffice/program/libsfx680lx.so
#31 0x00002aaaab8f92b0 in SfxObjectShell::DoSave_Impl () from /usr/lib/openoffice/program/libsfx680lx.so
#32 0x00002aaaab8f9668 in SfxObjectShell::Save_Impl () from /usr/lib/openoffice/program/libsfx680lx.so
#33 0x00002aaaab9509b7 in SfxBaseModel::storeSelf () from /usr/lib/openoffice/program/libsfx680lx.so
#34 0x00002aaaab9688cf in SfxStoringHelper::GUIStoreModel () from /usr/lib/openoffice/program/libsfx680lx.so
#35 0x00002aaaab900ccc in SfxObjectShell::ExecFile_Impl () from /usr/lib/openoffice/program/libsfx680lx.so
#36 0x00002aaaab9baeff in SfxDispatcher::Call_Impl () from /usr/lib/openoffice/program/libsfx680lx.so
#37 0x00002aaaab9bb651 in SfxDispatcher::PostMsgHandler () from /usr/lib/openoffice/program/libsfx680lx.so
#38 0x00002aaaab9e702a in SfxHintPoster::LinkStubDoEvent_Impl () from /usr/lib/openoffice/program/libsfx680lx.so
#39 0x00002b95e5042958 in ImplWindowFrameProc () from /usr/lib/openoffice/program/libvcl680lx.so
#40 0x00002b95eb34ad45 in SalDisplay::DispatchInternalEvent () from /usr/lib/openoffice/program/libvclplug_gen680lx.so
#41 0x00002b95eb34ad6e in SalX11Display::Yield () from /usr/lib/openoffice/program/libvclplug_gen680lx.so
#42 0x00002b95eb34ab57 in DisplayYield () from /usr/lib/openoffice/program/libvclplug_gen680lx.so
#43 0x00002b95eb342c3f in SalXLib::Yield () from /usr/lib/openoffice/program/libvclplug_gen680lx.so
#44 0x00002b95e4e7a330 in Application::Yield () from /usr/lib/openoffice/program/libvcl680lx.so
#45 0x00002b95e4e7a3c7 in Application::Execute () from /usr/lib/openoffice/program/libvcl680lx.so
#46 0x0000000000429020 in desktop::Desktop::Main ()
#47 0x00002b95e4e7fcc4 in ImplSVMain () from /usr/lib/openoffice/program/libvcl680lx.so
#48 0x00002b95e4e7fdb5 in SVMain () from /usr/lib/openoffice/program/libvcl680lx.so
#49 0x000000000041c02a in sal_main ()
#50 0x00002b95e7a564ca in __libc_start_main () from /lib/libc.so.6
#51 0x000000000041bf5a in _start () at ../sysdeps/x86_64/elf/start.S:113
(gdb) info locals
pa = 0x1fd1335 "/"
p = 0x1fd132f "Ä\205.com/"
s = 0x1fd132f "Ä\205.com/"
(gdb) list
174 while (*pa != '/' && *pa != '\0')
175 pa++;
176 /* => pa = path-abempty */
177
178 p = s;
179 while (p < pa && uri_lookup(*p) & URI_USERINFO)
180 p++;
181
182 if (*p == '@') {
183 parsed->userinfo = ne_strndup(s, p - s);
(gdb) p uri_chars[(unsigned)*p]
Cannot access memory at address 0x2aaeb3532fb0
(gdb) p (unsigned)*p
$1 = 4294967236
(gdb) ptype unsigned
type = unsigned int
uri_lookup macro should cast the value to unsigned char instead of
unsigned because unsigned implies unsigned int. The patch fixing this
bug is attached.
In addition, my patch adds DEB_BUILD_OPTIONS noopt support which was
useful while debugging this bug.
P.S. For some reason, OOo does not crash in my i386 chroot. I don't know
why since the bug is clearly arch independent.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=lt_LT, LC_CTYPE=lt_LT (charmap=ISO-8859-13)
Versions of packages libneon26 depends on:
ii libc6 2.3.6.ds1-9 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error description library
ii libkrb53 1.4.4-5 MIT Kerberos runtime libraries
ii libssl0. 0.9.8c-4 SSL shared libraries
ii libxml2 2.6.27.dfsg-1 GNOME XML library
ii zlib1g 1:1.2.3-13 compression library - runtime
libneon26 recommends no packages.
-- no debconf information
Bug marked as not found in version 0.26.2-3mdx1.
Request was from Modestas Vainius <geromanas@mailas.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 0.26.2-3.
Request was from Modestas Vainius <geromanas@mailas.com>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>: Bug#404723; Package libneon26.
(full text, mbox, link).
Acknowledgement sent to "Steinar H. Gunderson" <sesse@samfundet.no>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>: Bug#404723; Package libneon26.
(full text, mbox, link).
Acknowledgement sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(full text, mbox, link).
From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Modestas Vainius <geromanas@mailas.com>
Cc: 404723@bugs.debian.org
Subject: Re: src/ne_uri.c:ne_uri_parse():179 (uri_lookup(x) macro) - SIGSERV when parsing a non-ASCII character (>128)
Date: Fri, 5 Jan 2007 21:58:14 +0100
On Wed, Dec 27, 2006 at 10:55:16PM +0200, Modestas Vainius wrote:
> P.S. For some reason, OOo does not crash in my i386 chroot. I don't know
> why since the bug is clearly arch independent.
Possibly since on i386, unsigned and char* have the same size, and thus
p[(unsigned)-128] will really be equivalent to p[-128], which is small enough
to not overflow.
Anyhow, I've NMUed with your patch, sans the noopt part. Thanks for the
analysis :-)
/* Steinar */
--
Homepage: http://www.sesse.net/
Tags added: patch
Request was from "Steinar H. Gunderson" <sesse@samfundet.no>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to sesse@debian.org (Steinar H. Gunderson):
You have taken responsibility.
(full text, mbox, link).
Notification sent to Modestas Vainius <geromanas@mailas.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: neon26
Source-Version: 0.26.2-3.1
We believe that the bug you reported is fixed in the latest version of
neon26, which is due to be installed in the Debian FTP archive:
libneon26-dbg_0.26.2-3.1_i386.deb
to pool/main/n/neon26/libneon26-dbg_0.26.2-3.1_i386.deb
libneon26-dev_0.26.2-3.1_i386.deb
to pool/main/n/neon26/libneon26-dev_0.26.2-3.1_i386.deb
libneon26-gnutls-dbg_0.26.2-3.1_i386.deb
to pool/main/n/neon26/libneon26-gnutls-dbg_0.26.2-3.1_i386.deb
libneon26-gnutls-dev_0.26.2-3.1_i386.deb
to pool/main/n/neon26/libneon26-gnutls-dev_0.26.2-3.1_i386.deb
libneon26-gnutls_0.26.2-3.1_i386.deb
to pool/main/n/neon26/libneon26-gnutls_0.26.2-3.1_i386.deb
libneon26_0.26.2-3.1_i386.deb
to pool/main/n/neon26/libneon26_0.26.2-3.1_i386.deb
neon26_0.26.2-3.1.diff.gz
to pool/main/n/neon26/neon26_0.26.2-3.1.diff.gz
neon26_0.26.2-3.1.dsc
to pool/main/n/neon26/neon26_0.26.2-3.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 404723@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steinar H. Gunderson <sesse@debian.org> (supplier of updated neon26 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 5 Jan 2007 21:40:29 +0100
Source: neon26
Binary: libneon26 libneon26-gnutls-dbg libneon26-gnutls-dev libneon26-gnutls libneon26-dbg libneon26-dev
Architecture: source i386
Version: 0.26.2-3.1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Changed-By: Steinar H. Gunderson <sesse@debian.org>
Description:
libneon26 - An HTTP and WebDAV client library
libneon26-dbg - Detached symbols for libneon26
libneon26-dev - Header and static library files for libneon26
libneon26-gnutls - An HTTP and WebDAV client library (GnuTLS enabled)
libneon26-gnutls-dbg - Detached symbols for libneon26 (GnuTLS enabled)
libneon26-gnutls-dev - Header and static library files for libneon26 (GnuTLS enabled)
Closes: 404723
Changes:
neon26 (0.26.2-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* In the uri_lookup() macro, cast to unsigned char instead of unsigned
(which equals unsigned int), to avoid buffer overruns and SIGSEGV when
parsing URIs with non-ASCII characters; patch from Modestas Vainius.
(Closes: #404723)
Files:
fd6e54efa3a3f389b31ab5aebacd943a 903 net optional neon26_0.26.2-3.1.dsc
7ef7eb3845636deca9bd59a1114b5a0b 7273 net optional neon26_0.26.2-3.1.diff.gz
ccbd456e34e8e07abdaef40e2a149bf0 118850 libs optional libneon26_0.26.2-3.1_i386.deb
2753275ea61978bcc56035e83edf1e07 347416 libdevel optional libneon26-dev_0.26.2-3.1_i386.deb
d35b5252fbf718c6c65eb7ea67395222 157628 libdevel extra libneon26-dbg_0.26.2-3.1_i386.deb
31bf2d4f76a4c6326192cfa38ca4242a 94174 libs optional libneon26-gnutls_0.26.2-3.1_i386.deb
bde567682852578c04a13d76207774db 319544 libdevel optional libneon26-gnutls-dev_0.26.2-3.1_i386.deb
faeaa28f67158e5a84f7ce34c331dec7 137626 libdevel extra libneon26-gnutls-dbg_0.26.2-3.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQCVAwUBRZ64+X7hqgLJpbVOAQKLzQQAngdtMJyUdRuEShV/mPUONB6FnxSN1NAG
RYQPhOnvW09KnDA8b2VBx9sD/GYA0JYv56YPa8maq6yKt7XJIwSM/u4ECzxGBleV
D52wRllX20QYOJlSadofXCHha/iYoM2Hyr/mzsdsmg2QQZIUOJ2vsKX0uqzJAYU3
Tlhb50j05Qs=
=sSeS
-----END PGP SIGNATURE-----
Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Modestas Vainius <geromanas@mailas.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: neon26
Source-Version: 0.26.3-1
We believe that the bug you reported is fixed in the latest version of
neon26, which is due to be installed in the Debian FTP archive:
libneon26-dbg_0.26.3-1_i386.deb
to pool/main/n/neon26/libneon26-dbg_0.26.3-1_i386.deb
libneon26-dev_0.26.3-1_i386.deb
to pool/main/n/neon26/libneon26-dev_0.26.3-1_i386.deb
libneon26-gnutls-dbg_0.26.3-1_i386.deb
to pool/main/n/neon26/libneon26-gnutls-dbg_0.26.3-1_i386.deb
libneon26-gnutls-dev_0.26.3-1_i386.deb
to pool/main/n/neon26/libneon26-gnutls-dev_0.26.3-1_i386.deb
libneon26-gnutls_0.26.3-1_i386.deb
to pool/main/n/neon26/libneon26-gnutls_0.26.3-1_i386.deb
libneon26_0.26.3-1_i386.deb
to pool/main/n/neon26/libneon26_0.26.3-1_i386.deb
neon26_0.26.3-1.diff.gz
to pool/main/n/neon26/neon26_0.26.3-1.diff.gz
neon26_0.26.3-1.dsc
to pool/main/n/neon26/neon26_0.26.3-1.dsc
neon26_0.26.3.orig.tar.gz
to pool/main/n/neon26/neon26_0.26.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 404723@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.hu> (supplier of updated neon26 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 3 Mar 2007 09:33:23 +0000
Source: neon26
Binary: libneon26 libneon26-gnutls-dbg libneon26-gnutls-dev libneon26-gnutls libneon26-dbg libneon26-dev
Architecture: source i386
Version: 0.26.3-1
Distribution: unstable
Urgency: low
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Description:
libneon26 - An HTTP and WebDAV client library
libneon26-dbg - Detached symbols for libneon26
libneon26-dev - Header and static library files for libneon26
libneon26-gnutls - An HTTP and WebDAV client library (GnuTLS enabled)
libneon26-gnutls-dbg - Detached symbols for libneon26 (GnuTLS enabled)
libneon26-gnutls-dev - Header and static library files for libneon26 (GnuTLS enabled)
Closes: 404723413194
Changes:
neon26 (0.26.3-1) unstable; urgency=low
.
* New upstream release to officially fix CVE-2007-0157 (closes: 404723).
* Fix Kerberos authentication (closes: #413194).
Files:
565cb48d43d544d37e9479c6118c32ed 781 net optional neon26_0.26.3-1.dsc
6e52cd9c03e372026d6eccbfb80f09ef 789289 net optional neon26_0.26.3.orig.tar.gz
66fb80089ed3af17d2f5ffe0a2c6584d 7382 net optional neon26_0.26.3-1.diff.gz
6f1a075a98bda7e426a9807adbf5d603 119754 libs optional libneon26_0.26.3-1_i386.deb
d6d19544716728f3e5b4c11718815ae9 348874 libdevel optional libneon26-dev_0.26.3-1_i386.deb
08bfb5b5219e578cb5e42ac629416362 158602 libdevel extra libneon26-dbg_0.26.3-1_i386.deb
82fe0336046b3f4c9e4258f77a0545c6 94946 libs optional libneon26-gnutls_0.26.3-1_i386.deb
7ba55a3f5406420ca63c133b8aee54dd 320898 libdevel optional libneon26-gnutls-dev_0.26.3-1_i386.deb
d99e93ec33fcd70ba0bdbf1820e3bd76 138694 libdevel extra libneon26-gnutls-dbg_0.26.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF6pxjMDatjqUaT90RApjpAJ9wiHYwmyHu/RE9C4WWjCfU/RLm1QCgmvEl
BpNr25I7ilc1pao/u2CJXh8=
=KGTQ
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>: Bug#404723; Package libneon26.
(full text, mbox, link).
Acknowledgement sent to Mikael Nilsson <mikael@nilsson.name>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(full text, mbox, link).
I still have issues with openoffice crashing when saving the attached
document. The non-ascii chars are now in the path, not the host name.
Try opening the file, adding a space, save.
--
<mikael@nilsson.name>
Plus ça change, plus c'est la même chose
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.