Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Sat, 25 Jul 2009 15:31:24 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- HTMLDOC

Hi,
* Jan Lieskovsky <jlieskov@...hat.com> [2009-07-18 13:27]:
> Hello Steve, vendors,
> 
>   a stack-based buffer overflow by processing user-supplied
> input was found (by ANTHRAX666) in HTMLDOC's routine, used
> to set the result page output size for custom page sizes.
> 
> References:
> -----------
> http://secunia.com/advisories/35780/2/ (Secunia advisory)
> http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt 
> (original proof of concept)
> http://bugs.gentoo.org/show_bug.cgi?id=278186 (Gentoo's BTS entry)

Did you check:
htmllib.cxx:          if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)
ps-pdf.cxx:   if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)
as well?
Looks like a similar issue to me.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ