| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Ulf.Harnhammar.9485 at student.uu.se (Ulf Härnhammar) Subject: pavuk buffer overflow I have found a buffer overflow in pavuk 0.9pl28, 0.9pl27 and possibly also in other versions. It has the identifier CAN-2004-0456. When pavuk sends a request to a web server and the server sends back the HTTP status code 305 (Use Proxy), pavuk copies data from the HTTP Location header in an unsafe manner. This leads to a stack-based buffer overflow with control over EIP. I have attached a patch (against 0.9pl28) for this bug and a PHP script that exhibits the problem. Versions of pavuk with this problem are distributed by Debian GNU/Linux (non-US), SUSE Linux and Gentoo Linux, as well as in FreeBSD's and OpenBSD's port collections. I finished auditing pavuk and sent off information about this to Debian, SUSE, Gentoo and upstream on the 14th of June. SUSE accidentally released their update on the 23rd... Gentoo released their advisory (please credit me) on the 30th, which was the agreed-upon release date. // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/ -------------- next part -------------- A non-text attachment was scrubbed... Name: index.php Type: application/x-httpd-php Size: 112 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040702/863b30e6/index.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: pavuk.patch Type: text/x-patch Size: 450 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040702/863b30e6/pavuk.bin
Powered by blists - more mailing lists