w3m

Unnamed repository; edit this file to name it for gitweb.
git clone https://logand.com/git/w3m.git/
Log | Files | Refs | README

commit 6ae6d75ec5f75107b7a388e79e963c5a16f5d9e2
parent 3b0a15abe760a5d7ad602bd23bd2cda4370c85dc
Author: htrb <htrb>
Date:   Sun, 18 Jul 2010 13:43:23 +0000

replace \0 to make full string visible to user (CVE-2010-2074).

Diffstat:
MChangeLog | 5++---
Mistream.c | 28++++++++++++++++++++++++----
2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog @@ -1,6 +1,3 @@ -2010-07-18 hito <hito@localhost.localdomain> - - 2010-07-18 d+w3m@vdr.jp * [w3m-dev 04319] Re: w3m's bugs from bugs.debian.org * doc/w3m.1: fix typo. @@ -10,6 +7,8 @@ * scripts/w3mman/w3mman2html.cgi.in (Content-Type): "MAN_KEEP_FORMATTING=1" http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325699 + * istream.c (ssl_check_cert_ident): replace \0 to make full string + visible to user (CVE-2010-2074). 2007-06-07 Hironori Sakamoto <hsaka@mth.biglobe.ne.jp> diff --git a/istream.c b/istream.c @@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hostname) if (!seen_dnsname) seen_dnsname = Strnew(); + /* replace \0 to make full string visible to user */ + if (sl != strlen(sn)) { + int i; + for (i = 0; i < sl; ++i) { + if (!sn[i]) + sn[i] = '!'; + } + } Strcat_m_charp(seen_dnsname, sn, " ", NULL); - if (ssl_match_cert_ident(sn, sl, hostname)) + if (sl == strlen(sn) /* catch \0 in SAN */ + && ssl_match_cert_ident(sn, sl, hostname)) break; } } @@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hostname) if (match_ident == FALSE && ret == NULL) { X509_NAME *xn; char buf[2048]; + int slen; xn = X509_get_subject_name(x); - if (X509_NAME_get_text_by_NID(xn, NID_commonName, - buf, sizeof(buf)) == -1) + slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf)); + if ( slen == -1) /* FIXME: gettextize? */ ret = Strnew_charp("Unable to get common name from peer cert"); - else if (!ssl_match_cert_ident(buf, strlen(buf), hostname)) + else if (slen != strlen(buf) + || !ssl_match_cert_ident(buf, strlen(buf), hostname)) { + /* replace \0 to make full string visible to user */ + if (slen != strlen(buf)) { + int i; + for (i = 0; i < slen; ++i) { + if (!buf[i]) + buf[i] = '!'; + } + } /* FIXME: gettextize? */ ret = Sprintf("Bad cert ident %s from %s", buf, hostname); + } else match_ident = TRUE; }