Report forwarded to debian-bugs-dist@lists.debian.org, Edward Brocklesby <ejb@debian.org>: Bug#59891; Package mh.
(full text, mbox, link).
Acknowledgement sent to ruud <ruud@work.ruud.org>:
New Bug report received and forwarded. Copy sent to Edward Brocklesby <ejb@debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Edward Brocklesby <ejb@debian.org>: Bug#59891; Package mh.
(full text, mbox, link).
Acknowledgement sent to Taketoshi Sano <kgh12351@nifty.ne.jp>:
Extra info received and forwarded to list. Copy sent to Edward Brocklesby <ejb@debian.org>.
(full text, mbox, link).
(I send the copy of this mail to the Release Manager for potato,
several related entry on BTS, the previous maintainer for JP Package
of mh-ja, and the upstream of MH-JP patch which is used in the current
Debian Package of mh)
Hi, Edward. Have you already upload new version of your mh package ?
In <20000322105003.A23299@xs4all.nl> (on debian-devel-announce list),
at "Wed, 22 Mar 2000 10:50:03 +0100", with "5 days till Bug Horizon",
Richard Braakman <dark@xs4all.nl> writes:
dark> Package: mh (debian/main).
dark> Maintainer: Edward Brocklesby <ejb@debian.org>
dark> 59227 htdig: Apparent infinite recursion
dark> 59891 Security problem in MIME-handling code
The bug 59227 is fairly easy fixable typo in packaging script.
53892, 54042, and 57415 is for the same problem.
If you will take some more days to close these bugs,
I will do source NMU to fix this. How do you think ?
I have checked 59891, and I think the current mh does not have
this bug.
ruud <ruud@work.ruud.org> wrote in his report
(http://bugs.debian.org/59891)
| Package: mh
| Version: unknown
| Severity: grave
|
| The MH package has the same security problem with MIME handling as nmh had
| prior to nmh 1.0.3. The patch for nmh is available at
| http://www.mhost.com/cgi-bin/cvsweb/nmh/uip/mhshowsbr.c?r1=1.3&r2=1.4
|
| See also
| http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-03-01&msg=
| 200003030037.QAA22150@dilvish.speed.net
I have checked these URL. The problem seems some kind of buffer overrun.
"The patch for nmh" includes:
diff -u -r1.3 -r1.4
--- nmh/uip/mhshowsbr.c 1999/09/26 17:45:56 1.3
+++ nmh/uip/mhshowsbr.c 2000/02/28 17:09:02 1.4
(snip)
@@ -325,9 +325,9 @@
int
show_content_aux (CT ct, int serial, int alternate, char *cp, char *cracked)
{
- int fd, len, buflen;
+ int fd, len, buflen, quoted;
int xstdin, xlist, xpause, xtty;
- char *bp, *file, buffer[BUFSIZ];
+ char *bp, *pp, *file, buffer[BUFSIZ];
CI ci = &ct->c_ctinfo;
if (!ct->c_ceopenfnx) {
(snip)
@@ -355,12 +355,15 @@
/* get buffer ready to go */
bp = buffer;
- bp[0] = '\0';
- buflen = sizeof(buffer);
+ buflen = sizeof(buffer) - 1;
+ bp[0] = bp[buflen] = '\0';
+ quoted = 0;
/* Now parse display string */
- for ( ; *cp; cp++) {
+ for ( ; *cp && buflen > 0; cp++) {
if (*cp == '%') {
+ pp = bp;
+
switch (*++cp) {
case 'a':
/* insert parameters from Content-Type field */
(snip)
But the source tree of mh as the current Debian package does
not include "uip/mhshowsbr.c". So this patch can not be used.
And, the function show_content_aux() which is written in uip/mhn.c
has already the code to check the buffer overrun.
Here is the related diff from mh_6.8.4-JP-3.02-32.diff.gz
(this Debian diff use the patch from MH-JP project)
--- mh-6.8.4-JP-3.02.orig/uip/mhn.c
+++ mh-6.8.4-JP-3.02/uip/mhn.c
(snip)
@@ -1936,7 +2162,7 @@
xtty;
register char *bp;
char *file,
- buffer[BUFSIZ];
+ buffer[BUFSIZ], *bufend;
register CI ci = &ct -> c_ctinfo;
if (!ct -> c_ceopenfnx) {
(snip)
@@ -1958,6 +2184,7 @@
goto got_command;
}
buffer[0] = '\0';
+ bufend = buffer + sizeof(buffer) - NAMESZ; /* NAMESZ for c_termproc */
for (bp = buffer; *cp; cp++)
if (*cp == '%') {
switch (*++cp) {
@@ -1970,6 +2197,8 @@
for (ap = ci -> ci_attrs, ep = ci -> ci_values;
*ap;
ap++, ep++) {
+ if (bp + strlen(*ap) + strlen(*ep) + 4 >= bufend)
+ break;
(void) sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
bp += strlen (bp);
s = " ";
(snip)
@@ -2021,6 +2258,8 @@
}
else {
raw: ;
+ if (bp + 1 >= bufend)
+ break;
*bp++ = *cp;
*bp = '\0';
}
(snip)
@@ -2195,7 +2446,7 @@
register char *bp,
*cp;
char *file,
- buffer[BUFSIZ];
+ buffer[BUFSIZ], *bufend;
register CI ci = &ct -> c_ctinfo;
FILE *fp;
(snip)
@@ -2323,6 +2589,8 @@
goto raw;
default:
+ if (bp + 1 >= bufend)
+ break;
*bp++ = *--cp;
*bp = '\0';
continue;
@@ -2331,6 +2599,8 @@
}
else {
raw: ;
+ if (bp + 1 >= bufend)
+ break;
*bp++ = *cp;
*bp = '\0';
}
(snip)
@@ -3046,7 +3339,7 @@
xtty;
register char *bp,
*cp;
- char buffer[BUFSIZ];
+ char buffer[BUFSIZ], *bufend;
register struct multipart *m = (struct multipart *) ct -> c_ctparams;
register struct part *part;
register CI ci = &ct -> c_ctinfo;
(snip)
@@ -3088,6 +3404,7 @@
xlist = xpause = xtty = 0;
buffer[0] = '\0';
+ bufend = buffer + sizeof(buffer) - NAMESZ; /* NAMESZ for c_termproc */
for (bp = buffer; *cp; cp++)
if (*cp == '%') {
switch (*++cp) {
@@ -3100,6 +3417,8 @@
for (ap = ci -> ci_attrs, ep = ci -> ci_values;
*ap;
ap++, ep++) {
+ if (bp + strlen(*ap) + strlen(*ep) + 4 >= bufend)
+ break;
(void) sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
bp += strlen (bp);
s = " ";
and so on.
To add the patch above, the changelog from MH-JP shows that
the buffer overrun hase been fixed. CHANGES.JP (which is originally
written in Japanese, and although I have tried to translate these
document into English, I have not complete it yet.) includes:
/* [1998-12-02] mh-6.8.4-JP-3.01 (by MH-plus project) */
* fix the security hole about buffer overrun with a very long MIME
header line.
So I think you (Edward, the maintainer of mh) can close this 59891
safely.
At last, I found the new important report 60881.
The report includes the URI of the patch to fix this,
so this may be fairly simple. If you wish, I will upload
my source NMU with the fix for this also.
Sorry if you have upload the newer package. I wish to see your mh
package in potato. Thanks.
--
Taketoshi Sano: <sano@debian.org>,<sano@debian.or.jp>,<kgh12351@nifty.ne.jp>
Severity set to `fixed'.
Request was from Taketoshi Sano <sano@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `fixed'.
Request was from Taketoshi Sano <sano@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `fixed'.
Request was from Taketoshi Sano <sano@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `grave'.
Request was from Taketoshi Sano <kgh12351@nifty.ne.jp>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `fixed'.
Request was from Taketoshi Sano <sano@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `fixed'.
Request was from Taketoshi Sano <sano@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `fixed'.
Request was from Taketoshi Sano <sano@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Edward Brocklesby <ejb@debian.org>: Bug#59891; Package mh.
(full text, mbox, link).
Acknowledgement sent to Taketoshi Sano <kgh12351@nifty.ne.jp>:
Extra info received and forwarded to list. Copy sent to Edward Brocklesby <ejb@debian.org>.
(full text, mbox, link).
Subject: I think Bug 59891 is fixed in mh_6.8.4-JP-3.03-32.3
Date: Mon, 27 Mar 2000 15:29:14 +0900
Hi.
I have got the response from the upstrem of MH-JP patch, and
he provides me a more safe solution.
Here is the patch he gave me (this is for pure MH_6.8.4-JP-3.03,
so line numbers are a little different for the code in Debian package,
but but it can be applied to mh_6.8.4-JP-3.03-32.1):
--- uip/mhn.c.orig Tue Feb 9 20:30:00 1999
+++ uip/mhn.c Sun Mar 26 17:29:18 2000
@@ -2194,13 +2194,30 @@
register char **ap,
**ep;
char *s = "";
+ char *pp;
+ int len;
for (ap = ci -> ci_attrs, ep = ci -> ci_values;
*ap;
ap++, ep++) {
if (bp + strlen(*ap) + strlen(*ep) + 4 >= bufend)
break;
- (void) sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
+ (void) sprintf (bp, "%s\'%s=%s\'", s, *ap, *ep);
+
+ /* Escape existing quotes */
+ pp = bp + strlen(s) + 1;
+ while ((pp = index(pp, '\''))
+ && (*(pp+1) != '\0')) {
+ len = strlen(pp++);
+ if (pp + len + 3 > bufend) {
+ *bp = '\0';
+ break;
+ }
+ bcopy(pp, pp + 3, len);
+ *pp++ = '\\';
+ *pp++ = '\'';
+ *pp++ = '\'';
+ }
bp += strlen (bp);
s = " ";
}
@@ -2541,13 +2558,30 @@
register char **ap,
**ep;
char *s = "";
+ char *pp;
+ int len;
for (ap = ci -> ci_attrs, ep = ci -> ci_values;
*ap;
ap++, ep++) {
if (bp + strlen(*ap) + strlen(*ep) + 4 >= bufend)
break;
- (void) sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
+ (void) sprintf (bp, "%s\'%s=%s\'", s, *ap, *ep);
+
+ /* Escape existing quotes */
+ pp = bp + strlen(s) + 1;
+ while ((pp = index(pp, '\''))
+ && (*(pp+1) != '\0')) {
+ len = strlen(pp++);
+ if (pp + len + 3 > bufend) {
+ *bp = '\0';
+ break;
+ }
+ bcopy(pp, pp + 3, len);
+ *pp++ = '\\';
+ *pp++ = '\'';
+ *pp++ = '\'';
+ }
bp += strlen (bp);
s = " ";
}
@@ -3411,13 +3445,30 @@
register char **ap,
**ep;
char *s = "";
+ char *pp;
+ int len;
for (ap = ci -> ci_attrs, ep = ci -> ci_values;
*ap;
ap++, ep++) {
if (bp + strlen(*ap) + strlen(*ep) + 4 >= bufend)
break;
- (void) sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
+ (void) sprintf (bp, "%s\'%s=%s\'", s, *ap, *ep);
+
+ /* Escape existing quotes */
+ pp = bp + strlen(s) + 1;
+ while ((pp = index(pp, '\''))
+ && (*(pp+1) != '\0')) {
+ len = strlen(pp++);
+ if (pp + len + 3 > bufend) {
+ *bp = '\0';
+ break;
+ }
+ bcopy(pp, pp + 3, len);
+ *pp++ = '\\';
+ *pp++ = '\'';
+ *pp++ = '\'';
+ }
bp += strlen (bp);
s = " ";
}
He (the current maintainer of MH-JP patch) noted also that my patch
(which is used in 6.8.4-JP-3.03-32.2) has another security hole
(a kind of buffer overrun), so I applied this patch to mh package
and uploaded it as 6.8.4-JP-3.03-32.3.
I think the newest one (6.8.4-JP-3.03-32.3) can close 59891 safely.
Please include it into potato. Thanks.
--
Taketoshi Sano: <sano@debian.org>,<sano@debian.or.jp>,<kgh12351@nifty.ne.jp>
Information forwarded to debian-bugs-dist@lists.debian.org, Edward Brocklesby <ejb@debian.org>: Bug#59891; Package mh.
(full text, mbox, link).
Acknowledgement sent to ruud@ruud.org (Ruud de Rooij):
Extra info received and forwarded to list. Copy sent to Edward Brocklesby <ejb@debian.org>.
(full text, mbox, link).
Subject: Re: I think Bug 59891 is fixed in mh_6.8.4-JP-3.03-32.3
Date: Mon, 27 Mar 2000 13:47:26 +0200
On 2000/03/27, Taketoshi Sano wrote:
> I have got the response from the upstrem of MH-JP patch, and
> he provides me a more safe solution.
>
> Here is the patch he gave me (this is for pure MH_6.8.4-JP-3.03,
> so line numbers are a little different for the code in Debian package,
> but but it can be applied to mh_6.8.4-JP-3.03-32.1):
Without looking into this patch in detail, it appears to only cover the %a
escape, whereas the other escapes are vulnerable as well (%s and %d). Also,
you should be careful to consider cases where mhn_defaults contains the escapes
already in quotes itself.
Once again, I didn't have the time yet to take a good look at it, so please
correct me if I am wrong.
Thanks,
Ruud.
--
ruud de rooij | ruud@ruud.org | http://ruud.org
Severity set to `fixed'.
Request was from Taketoshi Sano <sano@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Edward Brocklesby <ejb@debian.org>: Bug#59891; Package mh.
(full text, mbox, link).
Acknowledgement sent to Taketoshi Sano <kgh12351@nifty.ne.jp>:
Extra info received and forwarded to list. Copy sent to Edward Brocklesby <ejb@debian.org>.
(full text, mbox, link).
Subject: I will upload mh_6.8.4-JP-3.03-32.4 into potato (Re: I think Bug 59891 is fixed in mh_6.8.4-JP-3.03-32.3 )
Date: Tue, 28 Mar 2000 16:56:57 +0900
Hi Ruud! Thank you for your checking.
In <20000327114726.9C04A15F6C@erwin.work.ruud.org>,
at "Mon, 27 Mar 2000 13:47:26 +0200",
with "Re: I think Bug 59891 is fixed in mh_6.8.4-JP-3.03-32.3 ",
ruud@ruud.org (Ruud de Rooij) writes:
ruud> Without looking into this patch in detail, it appears to only cover the %a
ruud> escape, whereas the other escapes are vulnerable as well (%s and %d). Also,
ruud> you should be careful to consider cases where mhn_defaults contains the escapes
ruud> already in quotes itself.
Yes old patch only cover %a escape. I create new patch for other escapes
as much as I can. This one can handle the case of mhn_defaults contains
the escapes already in quotes itself, I think.
I will upload this version, maybe tomorrow night.
ruud> Once again, I didn't have the time yet to take a good look at it,
ruud> so please correct me if I am wrong.
ruud>
ruud> Thanks,
ruud>
ruud> Ruud.
Thank you for your kind advices. :)
* message for Our Potato Release Manager:
Please include the new version into potato, after I upload it.
I attach the new patch for BTS (this should be applied after the old patch)
begin 664 diff.debian.32.3-32.4.mhn.c.gz
M'XL(`&.YX#@``^U:ZV_;1A+_3/T5$P,)19%R1%+4PSKE?%>D0("T.*#MES:%
M05.4350/'DG53A/_[S<SN\N7'I8?=9R<!-@2=V=G9V=_\UINN]V&^>7B.#A>
MSB;:SZL0?O`3<`;@.">>>^(XX'0ZG89IFH*L3M(YL;N"Y/04VHYM.U8/3/[N
M=N'TM`$-2#,_BP*(%IF67BZOSH+E(@L7V9F_NH:F84&]T<'6$0XTBX$0IH$?
MAV?_72VS,&W&L07G]+>:AHN)T3"#2Q2I1<VM<_['':.&^:EA:C1^%B[P21-T
MV3Q&`GS&EJO+:!9"$UG"&&>:A-?,7?^@ZX8!KUY!LX4-IFW`BS&V=JB5F&K(
M$4>D68(_B,(T:`(MF@+Q,FE&_._"&R6E&`;X01E!,!NIIB3,5LFBV;8%EQO%
MJBED1?*Y/YLM@V8SC?X*SS*C*?C;!LHS'L./O[Q_;VQA)EC\A@-^+T^+HB^"
M^*.<P0):-M(8E4Y>BFN!(LH)6K1D9O=!KS7H6QJF21C*V9@'+5**VJ&&&]H0
MN>=BHX++,/A#;/JD*;YJ&T^@$ATC@0)M`P!0W:;:*FB>QSP[:5>,%#M#BJ,V
M(@8;WHR+230E)FMY)(EQHLKZUG>VM$`QZ4W5'*`"?6@&&1I#F$3^S`)_EH7)
MPL]"HX'[>1&E^`C?_:P%V4B:FC>T^F1JP[XU8$MC":YG2&JIA]A?I6'^E&:3
M:&$UVN(IRSXJL>FW)7\K;8)`DIR9]X.6)SO$,[2F:#V*/^IK&B:__?N7[W]Z
M]^OOI4T0\@Y<RQZBP/BQG+Z0N/GG,D+]X]8@V%#WS,&"@+0%VL4R6P+^0PW-
MY_Y""773:)>FZQ2@!MF,D\)8]N-FDL4LIY*Y`6WX\5\_O/WIUQ&\;LF?,%WB
M$L]PH?,X60;0>MTPZU.T<L9R>PME85N'O`G/3ZR:#`,Q>H0PCD>X)/00N":"
M&#:0S>HO]0)Z2J%QS)RX+;V*LN`2Z4T3-8*DH&F!GX:@^_J)AM+[DTF41<N%
M/P,_N5C-$44I"0_"#_``K;J'K98?6]S.)#AC*Z1-Q6<E0HJR'QV-$"=%&XE%
MSXQ:_+`_!3(-X:;8?=YFKFQ*FJ;<E7"(FG:>A/X?["&T&PAGN#[504Q9(=3%
M,K)V?9XL@O8;_'_F9UF26A!6&O_T9ZLP%>L"]<&EUUI\W!4:BGN#DS).G8YG
M.3;AU',LNR=CF!R$.G_+D0C":U1JM+@0$%!:9R+6!;L1&1U2@UR*4"`1[(PY
M3$5DVV(/]V^*/MRQ,_XHUA4_E3?*?>#G&_%U'BPY"%!T$(%`!`#NK(:`6I.^
MO4G8L"E_D<`[H[NA!%/ZW>#.51=#%XY$P\V3PU.L#"KJ!`DKIV_9'8)5;YB[
MOUP!0<:X/9N@)A)IZ84]$I.V7$H%5SA_ED1S]IU5%D8M@#V=&O+)]I;4!$?.
M618ZW^T"E?5H@3*G(AO)N^($/=14]!U]T%^F'_0C2<5T.PV8"`KCM4?Y6O;'
M)^4XT%12/1?L=1V+(J_;L:O0$QD!<J($`+_LD>JAX(+!;HI)Y_'QL?!NRFF*
M$#05(8@2@(4_#XFD70"ZO/E$4L%CNUB9'+)Q^UZFN'4\.$^3/ST#+(OE$&CK
M-E;2_.V85`O[VV'YU!K;#,0\=8D%;C@S!50-!G3,\B91&L_\C[1PE0[CR@5Z
MO9Y`K^M6T;O..Q6\T]5Y]C'>!<D\3Y"D>\*SY'C6.#PKC*ZO[\%XW;3@_S?L
MOM1/)";[0S[G</M=57QI>120"19G/93[%TU%\5`J.%4U0-E?45"\R.LP<N_U
M/$%5*B)5X+J7FE3M)4NN;J_'4GH]U^H7)>+6.HVG*8K-=[3G8WBE)@UP;Z=+
M2?;]N_=O55H]C64YI*J#7/9"<C^.<0X$AQ!Y2^$GJ`PE/Y:,+/_`1@]`\LO]
MN6NE=_]J+B_!5`$F@&`B$-3O4P4*K]ME<7M=3X)"BDL?+ESN4@L^:B7(_B]?
M/E43GW4J,*IM+_2\"O*\OM7CQ?0ZECUP),8/Q:1*@FXM)E6E4P\].,XH/87\
MU-WDFM>\^N:A1CUKUFKUTI;DBCS[6"7(%JT'_X5<31WJW4.]>_^:(_=-<^&;
MYF&:^A?AVL&4='/(-+'/&19%@.-S1=!?ZU+Y=2N*US*VVHYNKRCB4G%6"@G"
M)W[^#-6V%[I23&Z2CZ1<5MYV!:^CIJZ`32E=?8+=.9U214Y^:RY7M7=[=`]8
M?U%=5HBV*/9^2JU@:Q_K^(^PCN/83[):J:*L@+H62\8S!>MR@E^A8'\+_ZC8
MPT8ACUG*VN"\<EF?VBA5,U^OK:PKR[VOX1RK:FB#"@]FM!N@1@FA.]6\':5W
M.V&XQ:[@%IO:;$_E,X!OUH[HQ[[[^M`@=#"EG&AOM>]M2@^SI$Q8TKZ':0\\
M2=MVC/:5&TQ5.X]@+^OZ.IC+OHB\6SJW2=7[V,TS.X?^1@QHYUGV/6VHHK6#
M&=T!G?>TI*K"[W3HWG/[?+XZ\'I/>NB^E_G@$''5:^TZH[C795O0L8J3:GST
M5]DRO8)_0G`U@1.81(D\]W;=?H>N=KG>T)8+_22E662\@HV7O!YTK<N2^A>J
MHX\\K-U]J\OMNN):@]OSAI;=73^D9U'I#;-XX9>_:NZ,OME;7(]\ATOHV7,M
MIT=Z[I>NC_R])]A?S$&!MCE:WGYT_CC'WQ@(#@?@7]D!^!<%Z];C/F&[`UOX
MR'YG<+CZ=;CZ]817O]SND"\JN/VN:]E."7HUG,FWM*"2X*=_#\O'=6.8$T#F
M,9]5U`,6M6UH(G[T)08NPNM,O<9VO4Y/FA[FC/7+O&OOE`0VTVR9^!=<9KC;
M8HOR:EMB"X)/AI4:SUM3Y0*W&\9^K2\$Q58X?`G1[?<'3W.-:ZT,?L[7L4"[
>=ZU_N+>U=PGI>EV/W>'`'C[/>UO_`Q^%81>0-P``
`
end
--
Taketoshi Sano: <sano@debian.org>,<sano@debian.or.jp>,<kgh12351@nifty.ne.jp>
Reply sent to Matej Vela <vela@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to ruud <ruud@work.ruud.org>:
Bug acknowledged by developer.
(full text, mbox, link).
(Now that mh is orphaned, NMU fixed bugs can be closed.)
Here is the relevant changelog entry:
mh (6.8.4-JP-3.03-32.2) frozen unstable; urgency=low
* Non Maintainer
* Previous one does not close the bug really. This one does.
Thanks to Ruud de Rooij. Closes: #59891
-- Taketoshi Sano <sano@debian.org> Fri, 24 Mar 2000 23:49:38 +0900
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.