Hi, CCed upstream. I am not sure if it is enough to just fix this CVE id. Browsing a bit in the code reveals quite a lot of additional buffer overflows.
From HTMLactions.c:
1264 void CheckUniqueName (Element el, Document doc, Attribute attr,
1265 AttributeType attrType)
1266 {
1267 #define MaxMsgLength 200
1268 ElementType elType;
1269 int lineNum, length;
1270 char *name;
1271 char msgBuffer[MaxMsgLength];
1272
1273 elType = TtaGetElementType (el);
1274 if (attr)
1275 {
1276 name = (char*)GetXMLAttributeName (attrType, elType, doc);
1277 if (!strcmp (name, "id"))
1278 {
1279 if (!TtaIsValidID (attr, FALSE))
1280 {
1281 length = TtaGetTextAttributeLength (attr) + 1;
1282 name = (char *)TtaGetMemory (length);
1283 TtaGiveTextAttributeValue (attr, name, &length);
1284 sprintf (msgBuffer, "Invalid ID value \"%s\"", name);
This can result in a stack-based buffer overflow if !TtaIsValidID (attr, FALSE)
is true.
This function is called if an attribute value is duplicated to generate an
error message.
TtaGetTextAttributeLength() returns the length of the attribute, the return
value here has
no upper limit. TtaGiveTextAttributeValue() then copies the attribute value
into the allocated name
buffer and msgBuffer will be overflowed (this also sets the length again to the
read bytes).
Note that MaxMsgLength is defined as 200 and that a check for !name would also
not hurt.
Same problem for the else case:
1292 else
1293 {
1294 // this function is optional because it increases the loading
time
1295 if (Check_read_ids && MakeUniqueName (el, doc, FALSE, FALSE))
1296 {
1297 length = TtaGetTextAttributeLength (attr) + 1;
1298 name = (char *)TtaGetMemory (length);
1299 TtaGiveTextAttributeValue (attr, name, &length);
1300 sprintf (msgBuffer, "Duplicate ID value \"%s\"", name)
Similar things are done at other places. Looking on the overall code quality I
suggest we remove amaya from lenny unless someone is willing to do a complete
audit.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpMS0Ls9GIkD.pgp
Description: PGP signature

