Date: Wed, 10 Nov 2004 11:22:02 -0500 From: "David A. Koran" <dak@solo.net> To: security@FreeBSD.org, ports@FreeBSD.org, kbyanc@posi.net Subject: vid 87cc48fd-5fdd-11d8-80e3-0020ed76ef5a (mnogoSearch) Message-ID: <4192402A.4050509@solo.net>
next in thread | raw e-mail | index | archive | help
(ref: http://www.freebsd.org/ports/portaudit/87cc48fd-5fdd-11d8-80e3-0020ed76ef5a.html) mnGoSearch buffer overflow in UdmDocToTextBuf() I belive the issue raised in this portaudit report has been fixed is susequent versions (ref: http://www.mnogosearch.ru/history.html) they've implemented bounds checking, but it wasn't listed in their ChangeLog. Please bump the port up to the current version, let me know if this needs a port maintainer since 3.1 trees are no longer supported, and the last major upgrade was 9+ months ago. ----[ code from mnogosearch-3.2.24 ]---- int UdmDocToTextBuf(UDM_DOCUMENT * Doc,char *textbuf,size_t len){ size_t i; char *end; textbuf[0]='\0'; udm_snprintf(textbuf, len, "<DOC"); end=textbuf+strlen(textbuf); for(i=0;i<Doc->Sections.nvars;i++){ UDM_VAR *S=&Doc->Sections.Var[i]; if(!S->name || !S->val ||!S->val[0])continue; if(!S->section && strcasecmp(S->name,"ID") && strcasecmp(S->name,"URL") && strcasecmp(S->name,"Status") && strcasecmp(S->name,"Content-Type") && strcasecmp(S->name,"Content-Length") && strcasecmp(S->name,"Content-Language") && strcasecmp(S->name,"Last-Modified") && strcasecmp(S->name,"Tag") && strcasecmp(S->name,"Category")) continue; udm_snprintf(end, len - (end - textbuf), "\t%s=\"%s\"", S->name, S->val); end = end + strlen(end); } if (len - (end - textbuf) > 1) strcpy(end, ">"); return UDM_OK; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4192402A.4050509>