[Debian-hebrew-package] Bug#346386: Small fix for bidiv, might have security implications

Sat Jan 7 15:37:19 UTC 2006

package: bidiv
version: 1.4-4
tags: security patch pending

Hi,

Attached is a small patch regarding allocation bug, which might produce
a security problem.

"... you allocated 1 char less then the needed amount (it is
necessary to have a place for the null terminator as well as the whole
line), therefore overwriting the following heap content with 2 null
bytes."

Steps already done:
1. Contact upstream to see if they have any comments about the patch or
if they'd like to add changes.
2. Prepare the package for upload to unstable (
http://svn.debian.org/wsvn/debian-hebrew/pkg/bidiv/trunk/ )
3. CCing the security team to coordinate upload to stable.

Lior Kaplan,
Debian Hebrew project

-------- Original Message --------
Subject: Fwd: Small fix for bidiv, might have security implications
Date: Sat, 7 Jan 2006 11:50:14 +0200
From: Shachar Raindel <shacharr at gmail.com>
Reply-To: raindel at tx.technion.ac.il
To: debian-hebrew-package at lists.alioth.debian.org, webmaster at guides.co.il
References: <e09338a10601070145n11edc85bt5ff149f3b8e5058e at mail.gmail.com>

I forward this e-mail to you as well since it seems that you might
also be related to this package maintenance

---------- Forwarded message ----------
From: Shachar Raindel <shacharr at gmail.com>
Date: Jan 7, 2006 11:45 AM
Subject: Small fix for bidiv, might have security implications
To: Nadav Har'El <nyh at math.technion.ac.il>, baruch at debian.org


Hi,
  After having bidiv crashing on me when using it to filter a
directory listing, I took the time to run it through valgrind. I found
out that when allocating the Unicode storage strings (unicode_in and
unicode_out), you allocated 1 char less then the needed amount (it is
necessary to have a place for the null terminator as well as the whole
line), therefore overwriting the following heap content with 2 null
bytes. I haven't tried to exploit this, but it might (though very
unlikely) be possible to exploit this bug. I attach a patch against
the 1.4 version of bidiv which fixes this problem (and also frees the
memory it allocates when it is done with using it).

  Thanks for the great tool anyway.

    Regards,
    Shachar


-- 

Lior Kaplan
kaplanlior at gmail.com
http://www.Guides.co.il

Debian GNU/Linux unstable (SID)


-- 

Lior Kaplan
kaplanlior at gmail.com
http://www.Guides.co.il

Debian GNU/Linux unstable (SID)
-------------- next part --------------

--- bidiv-1.4/bidiv-orig.c	2006-01-07 11:15:38.000000000 +0200
+++ bidiv-1.4/bidiv.c	2006-01-07 11:30:56.000000000 +0200
@@ -67,8 +67,8 @@
 	in=(char *)malloc(width+1);
 	out=(char *)malloc(width*7+1); /* 7 is the maximum number of
 					  bytes in one UTF8 char? */
-	unicode_in=(FriBidiChar *)malloc(sizeof(FriBidiChar)*width);
-	unicode_out=(FriBidiChar *)malloc(sizeof(FriBidiChar)*width);
+	unicode_in=(FriBidiChar *)malloc(sizeof(FriBidiChar)*(width+1));
+	unicode_out=(FriBidiChar *)malloc(sizeof(FriBidiChar)*(width+1));
 
 	c=0;
 	while(c!=EOF){
@@ -212,6 +212,11 @@
 				putchar(' ');
 		puts(out);
 	}
+	// Free the memory we have allocated
+	free(in);
+	free(out);
+	free(unicode_in);
+	free(unicode_out);
 }
 
 int








