headers
SourceForge.net | 2 Jan 2006 00:26
Picon
Favicon

[ clisp-Bugs-1389060 ] 1d23 output bug

Bugs item #1389060, was opened at 2005-12-23 13:17
Message generated for change (Comment added) made by sds
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=101355&aid=1389060&group_id=1355

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: clisp
Group: lisp error
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: Sam Steingold (sds)
Assigned to: Sam Steingold (sds)
>Summary: 1d23 output bug

Initial Comment:
(multiple-value-list (integer-decode-float 1d23))
 ==> (5960464477539062 24 1)
should be: 
 ==> (5960464477539063 24 1)

(prin1-to-string 1d23)
 ==> "9.999999999999999E22"
should be:
 ==> "1.0E23"

----------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 2 comments |
headers
clisp-cvs-request | 2 Jan 2006 05:09
Picon

clisp-cvs digest, Vol 1 #1382 - 12 msgs

Send clisp-cvs mailing list submissions to
	clisp-cvs <at> lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/clisp-cvs
or, via email, send a message with subject or body 'help' to
	clisp-cvs-request <at> lists.sourceforge.net

You can reach the person managing the list at
	clisp-cvs-admin <at> lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of clisp-cvs digest..."

CLISP CVS commits for today

Today's Topics:

   1. clisp/src ChangeLog,1.5196,1.5197 (Sam Steingold)
   2. clisp configure,1.94,1.95 (Sam Steingold)
   3. clisp/modules/postgresql postgresql.xml,1.7,1.8 (Sam Steingold)
   4. clisp/doc impext.xml,1.439,1.440 (Sam Steingold)
   5. clisp/src time.d,1.50,1.51 ChangeLog,1.5197,1.5198 (Sam Steingold)
   6. clisp/tests time.tst,1.4,1.5 ChangeLog,1.447,1.448 (Sam Steingold)
   7. clisp/src format.lisp,1.46,1.47 floatprint.lisp,1.5,1.6 ChangeLog,1.5198,1.5199 (Sam Steingold)
   8. clisp/tests number2.tst,1.30,1.31 ChangeLog,1.448,1.449 (Sam Steingold)
   9. clisp/src spvw.d,1.373,1.374 (Sam Steingold)
  10. clisp COPYRIGHT,1.15,1.16 (Sam Steingold)
  11. clisp/doc impnotes.xml.in,1.87,1.88 clisp.xml.in,1.58,1.59 (Sam Steingold)
  12. clisp/src subr.d,1.215,1.216 spvw.d,1.374,1.375 pathname.d,1.389,1.390 misc.d,1.81,1.82
(Continue reading)

Permalink | Reply | 0 comments |
headers
clisp-cvs-request | 2 Jan 2006 18:11
Picon

clisp-cvs digest, Vol 1 #1384 - 3 msgs

Send clisp-cvs mailing list submissions to
	clisp-cvs <at> lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/clisp-cvs
or, via email, send a message with subject or body 'help' to
	clisp-cvs-request <at> lists.sourceforge.net

You can reach the person managing the list at
	clisp-cvs-admin <at> lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of clisp-cvs digest..."


CLISP CVS commits for today

Today's Topics:

   1. clisp/src version.h,1.41,1.42 (Sam Steingold)
   2. clisp/win32msvc makefile.msvc7,1.22,1.23 makefile.msvc6d,1.12,1.13 makefile.msvc6,1.12,1.13 makefile.msvc5d,1.22,1.23 makefile.msvc5,1.58,1.59 makefile.msvc4,1.56,1.57 (Sam Steingold)
   3. clisp/src/po ru.po,1.21,1.22 ru.gmo,1.15,1.16 nl.po,1.19,1.20 nl.gmo,1.15,1.16 fr.po,1.20,1.21 fr.gmo,1.15,1.16 es.po,1.19,1.20 es.gmo,1.15,1.16 en.po,1.16,1.17 en.gmo,1.15,1.16 de.po,1.27,1.28 de.gmo,1.15,1.16 da.po,1.3,1.4 da.gmo,1.3,1.4 clisplow_ru.po,1.16,1.17 clisplow_ru.gmo,1.15,1.16 clisplow_nl.po,1.15,1.16 clisplow_nl.gmo,1.15,1.16 clisplow_fr.po,1.15,1.16 clisplow_fr.gmo,1.15,1.16 clisplow_es.po,1.15,1.16 clisplow_es.gmo,1.15,1.16 clisplow_en.po,1.15,1.16 clisplow_en.gmo,1.15,1.16 clisplow_de.po,1.15,1.16 clisplow_de.gmo,1.15,1.16 clisplow_da.po,1.3,1.4 clisplow_da.gmo,1.3,1.4 clisplow.pot,1.15,1.16 clisp.pot,1.15,1.16 (Sam Steingold)

--__--__--

Message: 1
From: Sam Steingold <sds <at> users.sourceforge.net>
To: clisp-cvs <at> lists.sourceforge.net
Subject: clisp/src version.h,1.41,1.42
Date: Mon, 02 Jan 2006 17:09:41 +0000
(Continue reading)

Permalink | Reply | 0 comments |
headers
clisp-cvs-request | 2 Jan 2006 18:10
Picon

clisp-cvs digest, Vol 1 #1383 - 7 msgs

Send clisp-cvs mailing list submissions to
	clisp-cvs <at> lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/clisp-cvs
or, via email, send a message with subject or body 'help' to
	clisp-cvs-request <at> lists.sourceforge.net

You can reach the person managing the list at
	clisp-cvs-admin <at> lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of clisp-cvs digest..."


CLISP CVS commits for today

Today's Topics:

   1. clisp/modules/postgresql postgresql.xml,1.8,1.9 (Sam Steingold)
   2. clisp/tests number2.tst,1.31,1.32 (Sam Steingold)
   3. clisp/src floatprint.lisp,1.6,1.7 ChangeLog,1.5200,1.5201 (Sam Steingold)
   4. clisp/src clhs.lisp,1.42,1.43 ChangeLog,1.5201,1.5202 (Sam Steingold)
   5. clisp version.sh,1.7,1.8 clisp.lsm,1.22,1.23 (Sam Steingold)
   6. clisp/src NEWS,1.300,1.301 HISTORY,1.17,1.18 ChangeLog,1.5202,1.5203 (Sam Steingold)
   7. clisp/doc impnotes.html,1.45,1.46 _clisp.html,1.16,1.17 _clisp.1,1.18,1.19 (Sam Steingold)

--__--__--

Message: 1
(Continue reading)

Permalink | Reply | 0 comments |
headers
Hoehle, Joerg-Cyril | 2 Jan 2006 18:34
Favicon

Re: clisp/modules/syscalls calls.c,1.162,1.163

Sam Steingold wrote:

>> Update of /cvsroot/clisp/clisp/modules/syscalls
>> Modified Files:
>> 	calls.c 
>> Log Message:
>> typical buffer overflow vulnerability: must use syslog("%s",string)
>you forgot about "%m".
>I reverted your patch and added comments,
>but I welcome a discussion.

To me it seems like crazy to revert a security patch like the above.

Reverting trades a trivial to trigger buffer overflow crash against some obscure %m facility trivially
available via (linux:strerror linux:errno).

Reverting trades safe code against the only possible use as "Got error: %m", while "Got errno (%d): %m"
already breaks.  Are you willing to explain such subtleties to the user?  And I didn't even mention the
effect on people discovering why %-signs randomly disappear, which would be the most harmless effect.

The opportunity for DoS or stack overflow via syscalls:syslog made me wonder whether a CERT vulnerability
would be appropriate to issue, or whether the syscalls module is so obscure and hardly used that it would
not be worth a mention.
Such stack overflows are what many CERT vulnerabilities talk about.
It's solely lack of time on Dec. 23rd which caused me not to mention the security patch at least to clisp-users.

A CERT vulnerability notice has a lot of impact. It would oblige all distributors to generate and
distribute patches of clisp for all their supported versions. CLISP would get an entry in several
vulnerability databases (e.g. MITRE's NVD (formerly CVE)).  Whether that's good or bad publicity is not
the topic.
(Continue reading)

Permalink | Reply | 1 comment |
headers
clisp-cvs-request | 2 Jan 2006 19:42
Picon

clisp-cvs digest, Vol 1 #1385 - 13 msgs

Send clisp-cvs mailing list submissions to
	clisp-cvs <at> lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/clisp-cvs
or, via email, send a message with subject or body 'help' to
	clisp-cvs-request <at> lists.sourceforge.net

You can reach the person managing the list at
	clisp-cvs-admin <at> lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of clisp-cvs digest..."

CLISP CVS commits for today

Today's Topics:

   1. clisp/src NEWS,1.301,1.302 (Sam Steingold)
   2. clisp/src ChangeLog,1.5203,1.5204 (Sam Steingold)
   3. clisp Makefile.devel,1.142,1.143 (Sam Steingold)
   4. clisp/modules/zlib configure.in,1.3,1.4 (Sam Steingold)
   5. clisp/modules/rawsock configure.in,1.22,1.23 (Sam Steingold)
   6. clisp/modules/pcre configure.in,1.6,1.7 (Sam Steingold)
   7. clisp/modules/pari configure.in,1.6,1.7 (Sam Steingold)
   8. clisp/modules/berkeley-db configure.in,1.9,1.10 (Sam Steingold)
   9. clisp/modules/i18n configure.in,1.6,1.7 (Sam Steingold)
  10. clisp/modules/dirkey configure.in,1.4,1.5 (Sam Steingold)
  11. clisp/src configure,1.154,1.155 (Sam Steingold)
  12. www summary.html,1.9,1.10 resources.html,1.15,1.16 index.php,1.43,1.44 .htaccess,1.1,1.2
(Continue reading)

Permalink | Reply | 0 comments |
headers
Sam Steingold | 2 Jan 2006 20:09
Picon

Re: clisp/modules/syscalls calls.c,1.162,1.163

> * Hoehle, Joerg-Cyril <Wbret-Plevy.Ubruyr <at> g-flfgrzf.pbz> [2006-01-02 18:34:14 +0100]:
>
> Try (posix:syslog :err :mail "%s%s%s%s%s%s%s%s%s"), which crashed my
> Linux clisp.

there are many ways you can crash CLISP - e.g., by using %RECORD-STORE
to arbitrarily modify closures.

how is the syslog way more dangerous?

> Until now, I believe ffcall can't correctly interface to varargs
> functions.

this has nothing to do with ffcall.

> And you simply reverted such a patch?!?

chill out.  there is no reason to yell.  let's talk.

the only arguments for your patch I can think of is

- user expectations: special handling of % may be surprising

- %m is not needed because errno does not exist from the Lisp POV:
  all functions in POSIX signal errors instead of setting errno.
  OTOH, what if the user uses some foreign calls?
  then he should have errno available as a foreign thing as well.

--

-- 
Sam Steingold (http://www.podval.org/~sds) running w2k
(Continue reading)

Permalink | Reply | 0 comments |
headers
Yaroslav Kavenchuk | 3 Jan 2006 10:24
Picon

environment variable LANG

clisp from CVS head, mingw

before `./configure... --build...` I set LANG=ENGLISH (as it is
described in the clisp.html), but final messages look so

 25             should-symbol:    0 errors out of     44 tests
╨Ф╨╛ ╤Б╨▓╨╕╨┤╨░╨╜╨╕╤П! ╨Э╨╡
╨┐╨╛╨╝╨╕╨╜╨░╨╣╤В╨╡ ╨╗╨╕╤Е╨╛╨╝!

Why?

Thanks!

--

-- 
WBR, Yaroslav Kavenchuk.

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Permalink | Reply | 9 comments |
headers
Yaroslav Kavenchuk | 3 Jan 2006 10:36
Picon

build under WinXP

If build clisp in WinXP with option --with-module=bindings/win32, all
functions from win32 module not work in Win2k.

It is not critical (for me).
It is simply information.

Probably, binary distribution should be different for different Windows
versions.

Thanks!

--

-- 
WBR, Yaroslav Kavenchuk.

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Permalink | Reply | 13 comments |
headers
Hoehle, Joerg-Cyril | 3 Jan 2006 11:23
Favicon

Re: clisp/modules/syscalls calls.c,1.162,1.163

Sam Steingold wrote:
>the only arguments for your patch I can think of is
[2 reasons]
And those are reason enough, don't you think?

>how is the syslog way more dangerous?
>- user expectations: special handling of % may be surprising
That's the answer already.
Application programmers may log user-given input, e.g. URL's.  Thus specially crafted URL's can cause the
application to crash.

That's a very typical software vulnerability.

Telling the application programmer that he needs
(loop for pos = (position #\% output-for-syslog)
      ; either that or turn % to %%:
      do (ecase (char output (1+ pos)
          ((#\% #\m) t)))
would be way stupid, given that there's no way to make use of %s etc. in the interface the module provides so far.
My %s patch provides a no-surprise and robust interface to the syslog facility. Please scan the CERT
vulnerabilities. You will find exactly this patch in other packages. That's, BTW, how I came to look into
the syscalls package.

>  OTOH, what if the user uses some foreign calls?
>  then he should have errno available as a foreign thing as well.
Already there in the linux module (you may wish to duplicate it in posix?).

So I think that the next urgent thing is to fix the security gap. Too bad that clisp-2.37 is out in the
meantime. It would have been a perfect match: the hypothetical CERT message would have said "fixed in
2.37, please upgrade".
(Continue reading)

Permalink | Reply | 0 comments |

Gmane