The situation with libwww.

Sam Varshavchik mrsam at courier-mta.com
Sun Jun 5 13:27:15 UTC 2005


Kenneth Porter writes:

> --On Saturday, June 04, 2005 4:46 PM -0400 Sam Varshavchik 
> <mrsam at courier-mta.com> wrote:
> 
>> A minor update.  Upon further investigation one of the bugs turned into
>> an illegal out-of-bounds memory access, which, I guess makes it a
>> security issue.
>>
>> Any hostile server could now potentially cause any libwww client to
>> segfault, from the looks of things.  This includes the LWP module.  What
>> a gawdawful mess?
>>
>> The function which is responsible for this mess is beyond hope, and must
>> be rewritten.
> 
> I don't see the issues listed here:
> 
> <https://bugzilla.redhat.com/bugzilla/buglist.cgi?component=w3c-libwww>
> 
> You might want to file new entries for these.

This needs to be fixed upstream, not just in Fedora.  Besides, nobody's 
going to take a patch that pretty much replaces an entire function, at least 
not until it's accepted upstream.  I'm trying to get ahold of someone.  I'll 
put something into Bugzilla once they agree with my patch and commit it. 
Then I can file a bug documenting the commit and asking for an interim 
errata.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050605/289d4347/attachment-0001.sig>


More information about the fedora-list mailing list