Headline
CVE-2022-29536: Fix memory corruption in ephy_string_shorten() (!1106) · Merge requests · GNOME / Epiphany · GitLab
In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered.
Merged requested to merge mcatanzaro/memory-corruption into master Apr 15, 2022
This reverts commit 232c6134.
I got my browser stuck in a crash loop today while visiting a website with a page title greater than ephy-embed.c’s MAX_TITLE_LENGTH, the only condition in which ephy_string_shorten() is ever used. Turns out this commit is wrong: an ellipses is a multibyte character (three bytes in UTF-8) and so we’re writing past the end of the buffer when calling strcat() here. Ooops.
Shame it took nearly four years to notice and correct this.
Edited Apr 15, 2022 by Michael Catanzaro
Related news
Gentoo Linux Security Advisory 202405-27 - A vulnerability has been discovered in Epiphany, which can lead to a buffer overflow. Versions greater than or equal to 42.4 are affected.
Ubuntu Security Notice 5561-1 - It was discovered that GNOME Web incorrectly filtered certain strings. A remote attacker could use this issue to perform cross-site scripting attacks. This issue only affected Ubuntu 20.04 LTS. It was discovered that GNOME Web incorrectly handled certain long page titles. A remote attacker could use this issue to cause GNOME Web to crash, resulting in a denial of service, or possibly execute arbitrary code.