From owner-freebsd-ports  Sun Oct 15 19:18:11 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from blues.jpj.net (blues.jpj.net [204.97.17.146])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2328A37B66C; Sun, 15 Oct 2000 19:18:06 -0700 (PDT)
Received: from localhost (trevor@localhost)
	by blues.jpj.net (right/backatcha) with ESMTP id e9G2I3i06955;
	Sun, 15 Oct 2000 22:18:03 -0400 (EDT)
Date: Sun, 15 Oct 2000 22:18:03 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: Will Andrews <will@physics.purdue.edu>
Cc: Trevor Johnson <trevor@FreeBSD.ORG>, developers@FreeBSD.ORG,
	FreeBSD Ports <ports@FreeBSD.ORG>
Subject: Re: cvs commit: ports/www/bsdi-netscape47-communicator Makefile
In-Reply-To: <20001015210434.X95891@puck.firepipe.net>
Message-ID: <Pine.BSI.4.21.0010152210310.6413-100000@blues.jpj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> >   Mark forbidden because of buffer overflow described on BUGTRAQ.
> 
> Doesn't this also apply to the other Netscapes?  If not, this REALLY
> sucks.  :-(

I only tested it with the one from the bsdi-netscape-navigator-4.75
package, but it's very likely that other versions have the bug.  If they
crash while viewing http://people.freebsd.org/~trevor/hostile-page.html
they probably do.

I've appended the original report.
-- 
Trevor Johnson
http://jpj.net/~trevor/gpgkey.txt

Date: Thu, 28 Sep 2000 18:45:41 +0200
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Netscape Navigator buffer overflow

Haven't seen bugreport on it, so I decided to publish this vulnerability.
In fact it's pretty old, but still unpublished: Netscape Navigator is
vulnerable to trivial, remote buffer overflow attack when viewing prepared
html:

<form action=something method=something>
<input type=password value=reallylongstring...>
...other form tags...
</form>

If buffer is reasonably long, Netscape crashes with SEGV while trying to
parse this tag (it happens around 16 kB of junk as value=) while calling
function XFE_GetFormElementInfo(). It is not a stack overflow, but, as
some pointers are overwritten, it seems to be exploitable. If someone has
free time and good will, could try - recall JPEG comment heap overflow.

Only type=password is vulnerable to this attack.

_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message