storm/w3m
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

replace \0 to make full string visible to user (CVE-2010-2074).

Browse Source
This commit is contained in:
Ito Hiroyuki
2010-07-18 13:43:23 +00:00
parent f4177807ad
commit cecd2afa71
2 changed files with 28 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@@ -1,6 +1,3 @@
2010-07-18 hito <hito@localhost.localdomain>
2010-07-18 d+w3m@vdr.jp 2010-07-18 d+w3m@vdr.jp
* [w3m-dev 04319] Re: w3m's bugs from bugs.debian.org * [w3m-dev 04319] Re: w3m's bugs from bugs.debian.org
* doc/w3m.1: fix typo. * doc/w3m.1: fix typo.
@@ -10,6 +7,8 @@
* scripts/w3mman/w3mman2html.cgi.in (Content-Type): * scripts/w3mman/w3mman2html.cgi.in (Content-Type):
"MAN_KEEP_FORMATTING=1" "MAN_KEEP_FORMATTING=1"
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325699 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325699
* istream.c (ssl_check_cert_ident): replace \0 to make full string
visible to user (CVE-2010-2074).
2007-06-07 Hironori Sakamoto <hsaka@mth.biglobe.ne.jp> 2007-06-07 Hironori Sakamoto <hsaka@mth.biglobe.ne.jp>
@@ -8946,4 +8945,4 @@ a * [w3m-dev 03276] compile error on EWS4800
* release-0-2-1 * release-0-2-1
* import w3m-0.2.1 * import w3m-0.2.1
$Id: ChangeLog,v 1.1005 2010/07/18 13:38:30 htrb Exp $ $Id: ChangeLog,v 1.1006 2010/07/18 13:43:23 htrb Exp $

30
istream.c
View File

@@ -1,4 +1,4 @@
/* $Id: istream.c,v 1.26 2007/05/23 15:06:05 inu Exp $ */ /* $Id: istream.c,v 1.27 2010/07/18 13:43:23 htrb Exp $ */
#include "fm.h" #include "fm.h"
#include "myctype.h" #include "myctype.h"
#include "istream.h" #include "istream.h"
@@ -447,8 +447,17 @@ ssl_check_cert_ident(X509 * x, char *hostname)
if (!seen_dnsname) if (!seen_dnsname)
seen_dnsname = Strnew(); seen_dnsname = Strnew();
/* replace \0 to make full string visible to user */
if (sl != strlen(sn)) {
int i;
for (i = 0; i < sl; ++i) {
if (!sn[i])
sn[i] = '!';
}
}
Strcat_m_charp(seen_dnsname, sn, " ", NULL); Strcat_m_charp(seen_dnsname, sn, " ", NULL);
if (ssl_match_cert_ident(sn, sl, hostname)) if (sl == strlen(sn) /* catch \0 in SAN */
&& ssl_match_cert_ident(sn, sl, hostname))
break; break;
} }
} }
@@ -466,16 +475,27 @@ ssl_check_cert_ident(X509 * x, char *hostname)
if (match_ident == FALSE && ret == NULL) { if (match_ident == FALSE && ret == NULL) {
X509_NAME *xn; X509_NAME *xn;
char buf[2048]; char buf[2048];
int slen;
xn = X509_get_subject_name(x); xn = X509_get_subject_name(x);
if (X509_NAME_get_text_by_NID(xn, NID_commonName, slen = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
buf, sizeof(buf)) == -1) if ( slen == -1)
/* FIXME: gettextize? */ /* FIXME: gettextize? */
ret = Strnew_charp("Unable to get common name from peer cert"); ret = Strnew_charp("Unable to get common name from peer cert");
else if (!ssl_match_cert_ident(buf, strlen(buf), hostname)) else if (slen != strlen(buf)
|| !ssl_match_cert_ident(buf, strlen(buf), hostname)) {
/* replace \0 to make full string visible to user */
if (slen != strlen(buf)) {
int i;
for (i = 0; i < slen; ++i) {
if (!buf[i])
buf[i] = '!';
}
}
/* FIXME: gettextize? */ /* FIXME: gettextize? */
ret = Sprintf("Bad cert ident %s from %s", buf, hostname); ret = Sprintf("Bad cert ident %s from %s", buf, hostname);
}
else else
match_ident = TRUE; match_ident = TRUE;
} }