|
From: | Ulf Harnhammar |
Subject: | [Lynx-dev] 3xcrash: NULL dereferencing and buffer overflows |
Date: | Sun, 25 Sep 2005 02:45:32 +0200 |
User-agent: | Mutt/1.5.9i |
Hello, I have found some NULL dereferencing bugs and buffer overflows in lynx. They cause crashes under various circumstances. Despite being buffer overflows, I see no security impact at all. The bugs affect at least the versions 2.8.6dev.13 and 2.8.5. All patches are made against 2.8.6dev.13. 1) NULL dereferencing crash with unexpected data from Gopher server I have attached a fake Gopher server, lynx-gopher-crash.pl, that illustrates this issue. Run it, connect to it with lynx (lynx gopher://fake.server), select the Search menu item, press s, search for something.. notice how lynx crashes. The attached patch lynx.gophercrash.patch corrects this bug. 2) Buffer overflow when handling overly long prefix/suffix strings in lynx.cfg You can test this issue by applying the lynxcfg.prefixsuffix.patch file to lynx.cfg and then using lynx to connect to a host with no dots (lynx a).. notice how lynx crashes. The attached patch lynx.prefixsuffixcrash.patch corrects this bug. 3) Buffer overflow when lex() parses data from files I have attached the lynx.lexoverflow.patch file for this issue. // Ulf Harnhammar
lynx-gopher-crash.pl
Description: Text Data
lynx.gophercrash.patch
Description: Text document
lynxcfg.prefixsuffix.patch
Description: Text document
lynx.prefixsuffixcrash.patch
Description: Text document
lynx.lexoverflow.patch
Description: Text document
[Prev in Thread] | Current Thread | [Next in Thread] |