oss-sec mailing list archives
Re: CVE Request -- HTMLDOC
From: Nico Golde <oss-security+ml () ngolde de>
Date: Sat, 25 Jul 2009 15:31:24 +0200
Hi, * Jan Lieskovsky <jlieskov () redhat com> [2009-07-18 13:27]:
Hello Steve, vendors, a stack-based buffer overflow by processing user-supplied input was found (by ANTHRAX666) in HTMLDOC's routine, used to set the result page output size for custom page sizes. References: ----------- http://secunia.com/advisories/35780/2/ (Secunia advisory) http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt (original proof of concept) http://bugs.gentoo.org/show_bug.cgi?id=278186 (Gentoo's BTS entry)
Did you check: htmllib.cxx: if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2) ps-pdf.cxx: if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2) as well? Looks like a similar issue to me. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE Request -- HTMLDOC Jan Lieskovsky (Jul 18)
- Re: CVE Request -- HTMLDOC Nico Golde (Jul 25)
- Re: CVE Request -- HTMLDOC Alex Legler (Jul 26)
- Re: CVE Request -- HTMLDOC Alex Legler (Sep 01)
- Re: CVE Request -- HTMLDOC Steven M. Christey (Sep 02)
- Re: CVE Request -- HTMLDOC Nico Golde (Jul 25)