lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1088722100.40e494b47971e@webmail.uu.se>
From: Ulf.Harnhammar.9485 at student.uu.se (Ulf Härnhammar)
Subject: pavuk buffer overflow

I have found a buffer overflow in pavuk 0.9pl28, 0.9pl27 and possibly
also in other versions. It has the identifier CAN-2004-0456.

When pavuk sends a request to a web server and the server sends back
the HTTP status code 305 (Use Proxy), pavuk copies data from the HTTP
Location header in an unsafe manner. This leads to a stack-based
buffer overflow with control over EIP.

I have attached a patch (against 0.9pl28) for this bug and a PHP
script that exhibits the problem.

Versions of pavuk with this problem are distributed by Debian
GNU/Linux (non-US), SUSE Linux and Gentoo Linux, as well as in
FreeBSD's and OpenBSD's port collections.

I finished auditing pavuk and sent off information about this
to Debian, SUSE, Gentoo and upstream on the 14th of June. SUSE
accidentally released their update on the 23rd... Gentoo released
their advisory (please credit me) on the 30th, which was the
agreed-upon release date.

// Ulf Harnhammar for the
   Debian Security Audit Project
   http://www.debian.org/security/audit/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: index.php
Type: application/x-httpd-php
Size: 112 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040702/863b30e6/index.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pavuk.patch
Type: text/x-patch
Size: 450 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040702/863b30e6/pavuk.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ