--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libwvstreams4.6-extras: Not handling whitespace in x509 extensions
- From: Chris Gamio <cgamio@gmail.com>
- Date: Thu, 02 Apr 2015 13:26:08 +0000
- Message-id: <20150402132608.753.35237.reportbug@ip-10-0-0-92.ec2.internal>
Package: libwvstreams4.6-extras
Version: 4.6.1-5
Severity: normal
Dear Maintainer,
When using wvx509, and calling the get_ocsp or get_crl_urls methods the URI lines are not parsed properly if there is leading whitespace.
Example line: " URI:ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList";
In the parse_stack method there is a check for the prefix: "if (strstr(stack_entry, prefix))"
and then a modification of the line to move the string pointer past that prefix: "WvString uri(stack_entry.edit() + prefix.len());"
This logic doesn't take into account the leading whitespace (which should be trimmed according to the RFC), and returns a bad string.
Actual returned string: "I:ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList";
Expected string: "ldap://ldap01.dimc.dhs.gov/cn=CRL3167,ou=DHS%20CA4,ou=Certification%20Authorities,ou=Department%20of%20Homeland%20Security,o=U.S.%20Government,c=US?certificateRevocationList";
The strings in the parse_stack method should be trimmed of leading and trailing whitespace before the modification. I'm not sure the best way to do this with the libraries given.
-- System Information:
Debian Release: 7.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libwvstreams4.6-extras depends on:
ii libc6 2.13-38+deb7u8
ii libdbus-1-3 1.6.8-1+deb7u6
ii libgcc1 1:4.7.2-5
ii libpam0g 1.1.3-7.1
ii libssl1.0.0 1.0.1e-2+deb7u16
ii libstdc++6 4.7.2-5
ii libwvstreams4.6-base 4.6.1-5
ii zlib1g 1:1.2.7.dfsg-13
libwvstreams4.6-extras recommends no packages.
libwvstreams4.6-extras suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: wvstreams
Source-Version: 4.6.1-17
Done: Bastian Germann <bage@debian.org>
We believe that the bug you reported is fixed in the latest version of
wvstreams, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 781745@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <bage@debian.org> (supplier of updated wvstreams package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Feb 2024 22:43:16 +0000
Source: wvstreams
Architecture: source
Version: 4.6.1-17
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Bastian Germann <bage@debian.org>
Closes: 781745 1046700
Changes:
wvstreams (4.6.1-17) unstable; urgency=medium
.
* QA upload.
* Run dh_autreconf. (Closes: #1046700)
* Trim URI whitespace according to RFC. (Closes: #781745)
* d/copyright: Convert to machine-readable format.
* Add public domain statement for ftpparse.
Checksums-Sha1:
54b152159dcdb1cdca32e8290630f693673c3c66 2026 wvstreams_4.6.1-17.dsc
88aa9075fffdb928f1221d6c6c9ef1c44960cbc0 20308 wvstreams_4.6.1-17.debian.tar.xz
7dea6eb80a905c57cc9f9cd37de09dd83bb04ca7 8303 wvstreams_4.6.1-17_source.buildinfo
Checksums-Sha256:
2bbc1fe628947c52b17e2ef1a899e12583058d8964ba7dd67f16d7fb325be0b7 2026 wvstreams_4.6.1-17.dsc
82f447d9f674d1478473f7d55daae45c0e255784eaa5b4c5b035ed8a656bc4e0 20308 wvstreams_4.6.1-17.debian.tar.xz
b0d16025adbfdf2ba8025eb0e42782bf24110fea2ee23e1f9ebb53fc4899a04d 8303 wvstreams_4.6.1-17_source.buildinfo
Files:
ca9097d21afea4094bf74c74209be974 2026 libs optional wvstreams_4.6.1-17.dsc
a038091d57c7a5f54ae560e23c3ff3d1 20308 libs optional wvstreams_4.6.1-17.debian.tar.xz
bfc3af573df0093a45f8b41ddc49fada 8303 libs optional wvstreams_4.6.1-17_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmW+yI0QHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFISLC/0cVYpIk5AarlkFy7tzd1KpcpZHfoOTHI2M
ExAuxq6De5cMqQRYkfl4wzBYzg7ivhFsmsIXVyZBWQBAGt+Ke5vQ0V8Lh6z6JLC1
Y3lax/YOxdPdJEAFj7vak+bHpCtRqNyH/Fn5ioBS3aV4UhUtH0wb9doPYXSzEyqv
A5qT6TFNWqw6eys8BqG+gliOUruczhtLsmVlKYlw4/u+7BVpldKr0rAxjAY1rzjp
xqI1SKAVzmYYMVGdSZmITDJ1IC371YUV9xU4ZBgkyW1vD5NgqMeLLBIcK1+H7Sir
xpDFLm7en0G5UKJUZHLGRqal3gKj7Y5FKE/IVIXJJUASDT1R4ZnWvMjt7+Uy2wkK
16bS7KEQqmeE/yjnwXd1jB4C6DGskllHDVZIKNO78JsIYqozXneywcyNI4+9KTGM
uV7Hbla94IBDx9mL4nICZcclUfZ9xkgUFGLh2LFWZU2yNwjv28AfJQCRlVfPJH/R
fTR0k4LkEzw1RG2HiXuyXrBk+KaZYo8=
=DBxg
-----END PGP SIGNATURE-----
--- End Message ---