Exmh hangs from BUGTRAQ posts [fix]

From: David Luyer (luyerat_private)
Date: Mon Jun 29 1998 - 22:34:58 PDT

Next message: David Luyer: "Serious Linux 2.0.34 security problem"

Previous message: Roger Harrison ?: "Re: Vulnerability in 4.4BSD Secure Levels Implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

CC'd to welchat_private   [exmh bug address]
        igorat_private [exmh debian maintainer]

If URI scanning is enabled in exmh (I'm using version 2.0.2 2/24/98 on
Debian Linux, Tk 8.0, Tcl 8.0), recent BUGTRAQ posts with very long strings
of letters (ie, xxxxxxxx[...]) have caused complete hangs in exmh of around
5 minutes for some messages.  During this time exmh is completely
unresponsive, except to a kill (it doesn't even repaint its display).

Here's a patch to fix the problem;

=================== patch begin =================================
--- uri.tcl     Tue Jun 30 13:23:39 1998
+++ uri.tcl.orig        Tue Jun 30 13:21:08 1998
@@ -324,7 +324,7 @@
     Exmh_Debug "URI_ScanMsg $limit"
     set multiline 0
     set hit 0
-    set Protocol (ftp|http|https|gopher|nntp|telnet|wais|file|prospero|finger|urn|mailto|news|solo|x500)
+#    set protocol (ftp|http|https|gopher|nntp|telnet|wais|file|prospero|finger|urn|mailto|news|solo|x500)
     set protocol {[A-Za-z_]+[-A-Za-z0-9_]*}

     for {set i 0} {[$w compare $i.0 < $limit]} {if {! $hit} {incr i}} {
@@ -417,10 +417,8 @@
             set start [expr [lindex $indices 0] + 1]
             set end [expr [lindex $indices 1] - 1]
            set hit 1
-# fix mailer hangs of up to 5 minutes which were happening due to
-# BUGTRAQ posts with very long strings of xxxxxxxxxxxxxxxxx[...] in
-# them by using $Protocol instead of $protocol.
-        } elseif {[regexp -indices "$Protocol:/+\[^ \n\t\]+\[^ \n\t,\.\)>\'\"\]" \
+
+        } elseif {[regexp -indices "$protocol:/+\[^ \n\t\]+\[^ \n\t,\.\)>\'\"\]" \
                $text indices] == 1} {
            # check for unencapsulated URIs by protocol if no < > present
            Exmh_Debug Regexp4 $indices
=================== patch end ===================================

While there are still, and will probably always be, some obvious ways to
cause the same problem, it fixes the problem for the case of the
semi-frequent BUGTRAQ posts which contain long alphabetic strings with no
breaks.

To fix the general hang/DoS, disable URI scanning or some work has to be
done on the regexps (possibly changing the line
set protocol {[A-Za-z_]+[-A-Za-z0-9_]*}
to
set protocol {[A-Za-z_]+[-A-Za-z0-9_]{,10}}
or however such a regexp would be written in Tcl would help significantly)

David.

Next message: David Luyer: "Serious Linux 2.0.34 security problem"
Previous message: Roger Harrison ?: "Re: Vulnerability in 4.4BSD Secure Levels Implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:56 PDT