Bug#309586: konsole has unsafe and incorrect UTF-8 decoder
Subject: konsole has unsafe and incorrect UTF-8 decoder
Package: konsole
Version: 4:3.3.2-1
Severity: normal
Catting Marcus Kuhn's UTF-8-test reveals a number of problems with
konsole's UTF-8 decoder; it does not correctly handle malformed input.
For example, it fails to reject "long forms" of ordinary ASCII
characters, start bytes are always combined with following bytes even if
the following bytes are not continuation bytes, and so on. Some of
these are arguably security holes (similar to the IDN issues with
Mozilla but permitting computers to be fooled as well as humans).
The file is at
http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
(and many other places on the Web).
Andrew
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10.20050514
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Versions of packages konsole depends on:
ii kdelibs4 4:3.3.2-5 KDE core libraries
ii libart-2.0-2 2.3.17-1 Library of functions for 2D
graphi
ii libc6 2.3.2.ds1-21 GNU C Library: Shared
libraries an
ii libfam0c102 2.7.0-6 client library to control
the FAM
ii libgcc1 1:3.4.3-12 GCC support library
ii libice6 4.3.0.dfsg.1-12.0.1 Inter-Client Exchange library
ii libidn11 0.5.13-1.0 GNU libidn library,
implementation
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libqt3c102-mt 3:3.3.4-3 Qt GUI Library (Threaded
runtime v
ii libsm6 4.3.0.dfsg.1-12.0.1 X Window System Session
Management
ii libstdc++5 1:3.3.5-12 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol
client li
ii libxext6 4.3.0.dfsg.1-12.0.1 X Window System
miscellaneous exte
ii libxrender1 0.8.3-7 X Rendering Extension
client libra
ii libxtst6 4.3.0.dfsg.1-12.0.1 X Window System event
recording an
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB)
configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
Reply to: