The situation with libwww.

Sam Varshavchik mrsam at courier-mta.com
Sat Jun 4 20:46:13 UTC 2005


Andy Green writes:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sam Varshavchik wrote:
> 
> | W3C stopped maintaining libwww three years ago
> | (http://www.w3.org/Library/). So, what should one do after finding a
> | bunch of major, but non-security related flaws in libwww?
> 
> Their CVS seems active
> 
> http://dev.w3.org/cvsweb/libwww/
> 
> README there suggests Jose Kahan was recently working on it: if he
> doesn't maintain it he probably knows who does.
> 
> His spamproofed Email is at the bottom of this page:
> 
> http://www.w3.org/People/Jose/

A minor update.  Upon further investigation one of the bugs turned into an 
illegal out-of-bounds memory access, which, I guess makes it a security 
issue.

Any hostile server could now potentially cause any libwww client to 
segfault, from the looks of things.  This includes the LWP module.  What a 
gawdawful mess…

The function which is responsible for this mess is beyond hope, and must
be rewritten.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050604/2b20e03b/attachment-0001.sig>


More information about the fedora-list mailing list