Bug 113647 - www-misc/gurlchecker Possible overflows
Bug#: 113647 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: leonardop@gentoo.org Reported By: castan.o@free.fr
Component: Auditing
URL:  http://labs.libre-entreprise.org/forum/forum.php?forum_id=429
Summary: www-misc/gurlchecker Possible overflows
Keywords:  
Status Whiteboard: 
Opened: 2005-11-26 11:45 0000
Description:   Opened: 2005-11-26 11:45 0000 
I've built gurlchecker on Gentoo ppc and x86. Receiving segfaults after a while
on both arch I used valgrind.
I found a few bugs in gurlchecker-0.8.2, reported to the maintainer with a patch :
- with g_memdup in uc_check_link_get_properties_proto_http (off by one string
copy leading to consecutive read overflows)
- with htmlFreeParserCtxt in uc_html_parser_get_tags (read and write access to
free'd zone)
- with memcpy in uc_utils_string_cut (potential read overflow) and write
overflow with strncat

The last overflow can be triggered with a link url of the right size, but the
write content can't be controled. Looks like the problem is limited to remote
DoS but not remote execution.

Reproducible: Always
Steps to Reproduce:

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-11-26 12:01:45 0000 ------- 
Auditors please adivse (And reassign to maintainer if this is just a simple 
crash and not exploitable)

------- Comment #2 From Tavis Ormandy (RETIRED) 2005-12-18 12:37:59 0000 ------- 
Yes, clearly some bugs there, but looks like no security impact, reassigning to
maintainer.

------- Comment #3 From Leonardo Boshell (RETIRED) 2005-12-21 19:25:39 0000 ------- 
I've committed gurlchecker-0.8.3 to the tree, which includes these bug fixes.
Since no real security problems have been identified, it won't be pushed to
stable too soon.

Thanks for the report.