[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: The situation with libwww.



Kenneth Porter writes:

--On Saturday, June 04, 2005 4:46 PM -0400 Sam Varshavchik <mrsam courier-mta com> wrote:

A minor update.  Upon further investigation one of the bugs turned into
an illegal out-of-bounds memory access, which, I guess makes it a
security issue.

Any hostile server could now potentially cause any libwww client to
segfault, from the looks of things.  This includes the LWP module.  What
a gawdawful mess?

The function which is responsible for this mess is beyond hope, and must
be rewritten.

I don't see the issues listed here:

<https://bugzilla.redhat.com/bugzilla/buglist.cgi?component=w3c-libwww>

You might want to file new entries for these.

This needs to be fixed upstream, not just in Fedora. Besides, nobody's going to take a patch that pretty much replaces an entire function, at least not until it's accepted upstream. I'm trying to get ahold of someone. I'll put something into Bugzilla once they agree with my patch and commit it. Then I can file a bug documenting the commit and asking for an interim errata.



Attachment: pgpb5RJpwH5dl.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]