[Debian-hebrew-package] Bug#346386: marked as done (Small fix for bidiv, might have security implications)

Debian Bug Tracking System owner at bugs.debian.org
Sat Jan 7 18:03:10 UTC 2006 

Your message dated Sat, 07 Jan 2006 09:47:07 -0800
with message-id <E1EvI9j-00067d-JV at spohr.debian.org>
and subject line Bug#346386: fixed in bidiv 1.4-6
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Jan 2006 15:38:03 +0000
>From webmaster at guides.co.il Sat Jan 07 07:38:03 2006
Return-path: <webmaster at guides.co.il>
Received: from mtaout5.barak.net.il ([212.150.49.175])
	by spohr.debian.org with esmtp (Exim 4.50)
	id 1EvG8p-0003tG-6x
	for submit at bugs.debian.org; Sat, 07 Jan 2006 07:38:03 -0800
Received: from [85.65.220.88] by mtaout5.barak.net.il
 (Sun Java System Messaging Server 6.1 HotFix 0.02 (built Aug 25 2004))
 with ESMTPA id <0ISQ00GQJBFQ1600 at mtaout5.barak.net.il> for
 submit at bugs.debian.org; Sat, 07 Jan 2006 17:38:14 +0200 (IST)
Date: Sat, 07 Jan 2006 17:37:19 +0200
From: Lior Kaplan <webmaster at guides.co.il>
Subject: Small fix for bidiv, might have security implications
To: submit at bugs.debian.org
Message-id: <43BFE02F.2000500 at guides.co.il>
Organization: Guides.co.il
MIME-version: 1.0
Content-type: multipart/mixed; boundary=------------000808000309030801040107
X-Accept-Language: en-us, en
OpenPGP: id=99E81DA0
X-Enigmail-Version: 0.93.0.0
User-Agent: Debian Thunderbird 1.0.7 (X11/20051017)
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

This is a multi-part message in MIME format.
--------------000808000309030801040107
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

package: bidiv
version: 1.4-4
tags: security patch pending

Hi,

Attached is a small patch regarding allocation bug, which might produce
a security problem.

"... you allocated 1 char less then the needed amount (it is
necessary to have a place for the null terminator as well as the whole
line), therefore overwriting the following heap content with 2 null
bytes."

Steps already done:
1. Contact upstream to see if they have any comments about the patch or
if they'd like to add changes.
2. Prepare the package for upload to unstable (
http://svn.debian.org/wsvn/debian-hebrew/pkg/bidiv/trunk/ )
3. CCing the security team to coordinate upload to stable.

Lior Kaplan,
Debian Hebrew project

-------- Original Message --------
Subject: Fwd: Small fix for bidiv, might have security implications
Date: Sat, 7 Jan 2006 11:50:14 +0200
From: Shachar Raindel <shacharr at gmail.com>
Reply-To: raindel at tx.technion.ac.il
To: debian-hebrew-package at lists.alioth.debian.org, webmaster at guides.co.il
References: <e09338a10601070145n11edc85bt5ff149f3b8e5058e at mail.gmail.com>

I forward this e-mail to you as well since it seems that you might
also be related to this package maintenance

---------- Forwarded message ----------
From: Shachar Raindel <shacharr at gmail.com>
Date: Jan 7, 2006 11:45 AM
Subject: Small fix for bidiv, might have security implications
To: Nadav Har'El <nyh at math.technion.ac.il>, baruch at debian.org


Hi,
  After having bidiv crashing on me when using it to filter a
directory listing, I took the time to run it through valgrind. I found
out that when allocating the Unicode storage strings (unicode_in and
unicode_out), you allocated 1 char less then the needed amount (it is
necessary to have a place for the null terminator as well as the whole
line), therefore overwriting the following heap content with 2 null
bytes. I haven't tried to exploit this, but it might (though very
unlikely) be possible to exploit this bug. I attach a patch against
the 1.4 version of bidiv which fixes this problem (and also frees the
memory it allocates when it is done with using it).

  Thanks for the great tool anyway.

    Regards,
    Shachar


-- 

Lior Kaplan
kaplanlior at gmail.com
http://www.Guides.co.il

Debian GNU/Linux unstable (SID)


-- 

Lior Kaplan
kaplanlior at gmail.com
http://www.Guides.co.il

Debian GNU/Linux unstable (SID)

--------------000808000309030801040107
Content-Type: text/plain;
 name="malloc-patch.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="malloc-patch.diff"

--- bidiv-1.4/bidiv-orig.c	2006-01-07 11:15:38.000000000 +0200
+++ bidiv-1.4/bidiv.c	2006-01-07 11:30:56.000000000 +0200
@@ -67,8 +67,8 @@
 	in=(char *)malloc(width+1);
 	out=(char *)malloc(width*7+1); /* 7 is the maximum number of
 					  bytes in one UTF8 char? */
-	unicode_in=(FriBidiChar *)malloc(sizeof(FriBidiChar)*width);
-	unicode_out=(FriBidiChar *)malloc(sizeof(FriBidiChar)*width);
+	unicode_in=(FriBidiChar *)malloc(sizeof(FriBidiChar)*(width+1));
+	unicode_out=(FriBidiChar *)malloc(sizeof(FriBidiChar)*(width+1));
 
 	c=0;
 	while(c!=EOF){
@@ -212,6 +212,11 @@
 				putchar(' ');
 		puts(out);
 	}
+	// Free the memory we have allocated
+	free(in);
+	free(out);
+	free(unicode_in);
+	free(unicode_out);
 }
 
 int









--------------000808000309030801040107--

---------------------------------------
Received: (at 346386-close) by bugs.debian.org; 7 Jan 2006 17:51:04 +0000
>From katie at ftp-master.debian.org Sat Jan 07 09:51:04 2006
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EvI9j-00067d-JV; Sat, 07 Jan 2006 09:47:07 -0800
From: Lior Kaplan <webmaster at guides.co.il>
To: 346386-close at bugs.debian.org
X-Katie: $Revision: 1.65 $
Subject: Bug#346386: fixed in bidiv 1.4-6
Message-Id: <E1EvI9j-00067d-JV at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Sat, 07 Jan 2006 09:47:07 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: bidiv
Source-Version: 1.4-6

We believe that the bug you reported is fixed in the latest version of
bidiv, which is due to be installed in the Debian FTP archive:

bidiv_1.4-6.diff.gz
  to pool/main/b/bidiv/bidiv_1.4-6.diff.gz
bidiv_1.4-6.dsc
  to pool/main/b/bidiv/bidiv_1.4-6.dsc
bidiv_1.4-6_i386.deb
  to pool/main/b/bidiv/bidiv_1.4-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 346386 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lior Kaplan <webmaster at guides.co.il> (supplier of updated bidiv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  7 Jan 2006 17:54:54 +0200
Source: bidiv
Binary: bidiv
Architecture: source i386
Version: 1.4-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Hebrew Packaging Team <debian-hebrew-package at lists.alioth.debian.org>
Changed-By: Lior Kaplan <webmaster at guides.co.il>
Description: 
 bidiv      - BiDi viewer - command-line tool displaying logical Hebrew/Arabic
Closes: 346386
Changes: 
 bidiv (1.4-6) unstable; urgency=medium
 .
   * Apply patch by Shachar Raindel <shacharr at gmail.com> regarding insufficient
     memory allocation when handling Unicode strings. (Closes: #346386)
   * Fix man page error reported by Lintian.
Files: 
 2c243cb8350f656b4185785dcf2d647d 691 text optional bidiv_1.4-6.dsc
 dc71f8831d131f724cf2385a4f57b58b 3040 text optional bidiv_1.4-6.diff.gz
 517e43fb94777eef509b732cfe9dc0bb 9680 text optional bidiv_1.4-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDv/wbHCar6qtHRZgRAhWCAJ90W3xyaY9hZlGpIYIgRE/fVBD75gCg3OrO
T5Co5Dc52ylsmdomuHeZdlk=
=w2QB
-----END PGP SIGNATURE-----

More information about the Debian-hebrew-package mailing list