Bug#781745: libwvstreams4.6-extras: Not handling whitespace in x509 extensions

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#781745: libwvstreams4.6-extras: Not handling whitespace in x509 extensions
From: Chris Gamio <cgamio@gmail.com>
Date: Thu, 02 Apr 2015 13:26:08 +0000
Message-id: <[🔎] 20150402132608.753.35237.reportbug@ip-10-0-0-92.ec2.internal>
Reply-to: Chris Gamio <cgamio@gmail.com>, 781745@bugs.debian.org

Package: libwvstreams4.6-extras
Version: 4.6.1-5
Severity: normal

Dear Maintainer,

When using wvx509, and calling the get_ocsp or get_crl_urls methods the URI lines are not parsed properly if there is leading whitespace.

Example line: "  URI:ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList";

In the parse_stack method there is a check for the prefix: "if (strstr(stack_entry, prefix))"
and then a modification of the line to move the string pointer past that prefix: "WvString uri(stack_entry.edit() + prefix.len());"

This logic doesn't take into account the leading whitespace (which should be trimmed according to the RFC), and returns a bad string.

Actual returned string: "I:ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList";
Expected string: "ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList";

The strings in the parse_stack method should be trimmed of leading and trailing whitespace before the modification. I'm not sure the best way to do this with the libraries given.

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libwvstreams4.6-extras depends on:
ii  libc6                 2.13-38+deb7u8
ii  libdbus-1-3           1.6.8-1+deb7u6
ii  libgcc1               1:4.7.2-5
ii  libpam0g              1.1.3-7.1
ii  libssl1.0.0           1.0.1e-2+deb7u16
ii  libstdc++6            4.7.2-5
ii  libwvstreams4.6-base  4.6.1-5
ii  zlib1g                1:1.2.7.dfsg-13

libwvstreams4.6-extras recommends no packages.

libwvstreams4.6-extras suggests no packages.

-- no debconf information

Reply to:

Prev by Date: are you looking for email marketing?
Next by Date: Bug#781764: abiword-common: abiword runs when gnome-sessions-daemon starts
Previous by thread: are you looking for email marketing?
Next by thread: Bug#781764: abiword-common: abiword runs when gnome-sessions-daemon starts
Index(es):
- Date
- Thread