96441 – www-client/dillo Remote crash (Vendor-Sec)

Bug 96441 - www-client/dillo Remote crash (Vendor-Sec)

Summary: www-client/dillo Remote crash (Vendor-Sec)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Other

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [wait?] CONFIDENTIAL date?
Keywords:

Depends on:
Blocks:

Reported:	2005-06-18 01:17 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2007-01-09 20:34 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-06-18 01:18:16 UTC

Dillo v0.8.4 and all previous versions were vulnerable to remote crashes via large or negative table attributes.  

These issues can either cause an instant segfault, or a lockup.

A sample vulnerable page is:

     <html><head> <title>Crash #2</title></head> <body>
     <table> <td colspan=10000000> </td></table></body></html>


The patch used to fix the issue is here:

 http://cvs.auriga.wearlab.de/cgi-bin/cvsweb.cgi/dillo/src/html.c.diff?sortby=date&cvsroot=dillo&r1=1.233&r2=1.234&f=c

----

0.85 is released and seems to fix the issue, though I haven't tested.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-06-19 10:31:57 UTC

If this is just a crash, I wouldn't consider it a vulnerability.

Comment 2 Tavis Ormandy (RETIRED) gentoo-dev

2005-06-21 01:50:07 UTC

This looks like a harmless crash, a regular bug rathen than a secureity issue. 
marking INVALID.