[18651] in bugtraq
Re: Buffer Overflow still exists in Netscape <= 4.76
daemon@ATHENA.MIT.EDU (fish stiqz)
Tue Jan 16 19:10:44 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010116144003.A3027@analog.org>
Date: Tue, 16 Jan 2001 14:40:03 -0500
Reply-To: fish stiqz <fish@ANALOG.ORG>
From: fish stiqz <fish@ANALOG.ORG>
X-To: Frank v Waveren <fvw@var.cx>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010116185410.A4044@var.cx>; from fvw@var.cx on Tue, Jan 16,
2001 at 06:54:10PM +0100
Frank v Waveren <fvw@var.cx> wrote:
> No dice, apart from a slight rendering bug if you go to the end of the
> password field, it doesn't appear to have any problems here.
>
> [/home/fvw] netscape -v
> Netscape Lite 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
> [/home/fvw] rpm -qi netscape-navigator
> Name : netscape-navigator Relocations: /usr
> Version : 4.76 Vendor: Red Hat, Inc.
> Release : 0.6.2 Build Date: Mon Nov 13 18:47:54 2000
> Size : 7690589 License: Commercial
> Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
> Summary : The Netscape Navigator Web browser.
The dice is rolling over here.
This is the exact rpm from the redhat update ftp site. The md5sum matches
the one listed on their website (see below), and it crashes with the pages
I listed on the original post:
-> http://fish.analog.org/~fish/crash_netscape2.html
$ cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
$ md5sum netscape-navigator-4.76-0.6.2.i386.rpm
670b08cbad1097f4ca923071c202b5dd netscape-navigator-4.76-0.6.2.i386.rpm
- Same rpm listed at http://www.redhat.com/support/errata/RHSA-2000-109.html:
670b08cbad1097f4ca923071c202b5dd 6.2/i386/netscape-navigator-4.76-0.6.2.i386.rpm
$ rpm -qi netscape-navigator
Name : netscape-navigator Relocations: /usr
Version : 4.76 Vendor: Red Hat, Inc.
Release : 0.6.2 Build Date: Mon 13 Nov 2000
12:47:54 PM EST
Install date: Tue 16 Jan 2001 01:45:38 PM EST Build Host:
porky.devel.redhat.com
Group : Applications/Internet Source RPM:
netscape-4.76-0.6.2.src.rpm
Size : 7690589 License: Commercial
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary : The Netscape Navigator Web browser.
Description :
Netscape Navigator is the industry-leading Web browser. It supports
the latest HTML standards, Java, JavaScript and some style sheets.
Information on the Netscape Navigator license may be found in the file
/usr/doc/netscape-common-%{version}/LICENSE.
This will install the basic Netscape Navigator Web browser.
If you want additional features, such as the Usenet news reader and
HTML editor, you should install the netscape-communicator package.
- This is the same version you are using! It definitely crashes for me,
(see below).
$ rpm -qf /usr/lib/netscape/netscape-navigator
netscape-navigator-4.76-0.6.2
$ gdb /usr/lib/netscape/netscape-navigator
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) set args http://fish.analog.org/~fish/crash_netscape2.html
(gdb) run
Starting program: /usr/lib/netscape/netscape-navigator
http://fish.analog.org/~fish/crash_netscape2.html
Program received signal SIGSEGV, Segmentation fault.
0x4002c4d3 in XtCallCallbackList () from /usr/X11R6/lib/libXt.so.6
(gdb) info all-registers
eax 0x40063bc4 1074150340
ecx 0x41414141 1094795585
edx 0x186a0 100000
ebx 0x40065a2c 1074158124
esp 0xbfffdab4 -1073751372
ebp 0xbfffdac8 -1073751352
esi 0xbfffdb90 -1073751152
edi 0x41414145 1094795589
eip 0x4002c4d3 1073923283
eflags 0x10202 66050
<snip>
I have also gotten this to crash on the latest debian-unstable.
$ dpkg --print-avail netscape
Package: netscape
Priority: optional
Section: contrib/web
Installed-Size: 22
Maintainer: Ryan Murray <rmurray@debian.org>
Architecture: i386
Source: netscape4.base
Version: 1:4.76-1
Depends: communicator | navigator
Exactly what did you do that it didn't segfault on you? In all my tests
Netscape has died either as soon as the page loads or as soon as you try
to go somewhere else (or reload).
--
+---------------------------------------------------------------------------+
| fish stiqz <fish@analog.org> <*)))-< ** yum, yum, delicious ** |
+---------------------------------------------------------------------------+
