The situation with libwww.
Sam Varshavchik
mrsam at courier-mta.com
Sat Jun 4 20:46:13 UTC 2005
Andy Green writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sam Varshavchik wrote:
>
> | W3C stopped maintaining libwww three years ago
> | (http://www.w3.org/Library/). So, what should one do after finding a
> | bunch of major, but non-security related flaws in libwww?
>
> Their CVS seems active
>
> http://dev.w3.org/cvsweb/libwww/
>
> README there suggests Jose Kahan was recently working on it: if he
> doesn't maintain it he probably knows who does.
>
> His spamproofed Email is at the bottom of this page:
>
> http://www.w3.org/People/Jose/
A minor update. Upon further investigation one of the bugs turned into an
illegal out-of-bounds memory access, which, I guess makes it a security
issue.
Any hostile server could now potentially cause any libwww client to
segfault, from the looks of things. This includes the LWP module. What a
gawdawful mess…
The function which is responsible for this mess is beyond hope, and must
be rewritten.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050604/2b20e03b/attachment-0001.sig>
More information about the fedora-list
mailing list