[Users] [Bug 3557] Remotely exploitable bug.

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Thu Dec 31 12:03:40 CET 2015


--- Comment #8 from Ricardo Mones <mones at users.sourceforge.net> ---
(In reply to comment #7)
> (In reply to comment #6)
> > After being notified of this:
> > 
> > https://security-tracker.debian.org/tracker/CVE-2015-8614
> > 
> > Seems this is only partially fixed (wrong operator was fixed in #3584), and
> > there's code paths which exceed the number of reserved chars for output.
> Right.  In conv_euctojis() the comparison is with outlen - 3, but each pass
> through the loop uses up to 5 bytes and the rest of the function may add
> another 4 bytes.  The comparison should presumably be '<= outlen - 9' or
> equivalently '< outlen - 8'.

Thanks for confirming Ben.

> > Similar functions in libsylph¹ are unaffected², so those could be used
> > instead.
> The corresponding functions in libsylph do their own allocations on the
> heap, returning a pointer to the caller.  So it's not quite as simple as
> copying the code across.

Indeed. I was thinking about a more radical approach like removing
codeconv.[ch] and use sylph/codeconv.h, linking to libsyph. But I had a look
today and this is also a huge task:

• the API calls interface changes (obviously)
• different supported codesets on both sides (libsylph should add some so CM
doesn't lose features)
• missing calls

Maybe could be a good idea for long term, but not for tonight ;-)

You are receiving this mail because:
You are the assignee for the bug.

More information about the Users mailing list