[UNIX] Libneon Date Parsing Vulnerability
From: SecuriTeam (support_at_securiteam.com)
To: email@example.com Date: 19 May 2004 15:25:48 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Libneon Date Parsing Vulnerability
<http://www.webdav.org/neon> neon is "an HTTP and WebDAV client library,
with a C interface". A vulnerability within a libneon date parsing
function could cause a heap overflow that could lead to remote code
execution, depending on the application using libneon. OpenOffice and
Subversion *DO NOT* use this function and are therefore not vulnerable to
* libneon version 0.24.5 and prior
While scanning the libneon source code for common programming errors an
unsafe usage of sscanf() was discovered within one of the date parsing
When a special crafted date string is passed to the ne_rfc1036_parse() it
may trigger a sscanf() string overflow into static heap variables.
Exploitability heavily depends on the application linked against neon but
is considered trivial in cases where an out-of-memory condition can be
triggered, because the overflowing variable is placed in front of the
libneon out-of-memory callback function pointer.
Please notice that your application could be vulnerable even if you do not
use ne_rfc1036_parse() directly, because its functionality is used by
several higher level API functions.
02. May 2004 - Neon developers were contacted by email
04. May 2004 - Joe Orton has fixed the bug within neon and waits for the
public disclosure date
19. May 2004 - Coordinated Public Disclosure
Because Subversion and OpenOffice, which are the most important libneon
users, are not using the vulnerable function the issue is rated with a
medium severity. Nevertheless upgrading your neon version is recommended
because other applications could be vulnerable and could expose the
vulnerable function to the outside world.
The information has been provided by <mailto:firstname.lastname@example.org> Stefan
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.