From: [email protected]

Package: tin
Version: 1:1.7.5-1
Severity: normal

Hi!

tin quits when I select at.internet.provider on our newsserver here,
with this ending part in the strace:

#v+
15513 open("/proc/meminfo", O_RDONLY) = 5
15513 fstat64(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
15513 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40024000
15513 read(5, " total: used: free: shared: buffers: cached:\nMem: 4141010944 3900256256 240754688 "..., 4096) = 530
15513 close(5) = 0
15513 munmap(0x40024000, 4096) = 0
15513 poll([{fd=0, events=POLLIN}], 1, 0) = 0
15513 poll([{fd=0, events=POLLIN}], 1, 0) = 0
15513 write(1, "\rArtnum : 49283Subject: Kein Mailversand \374ber Chello From : m\366glichrtin: asser\10t\10\33[1@r", 88) = 88
15513 write(1, "\33[?25h", 6) = 6
15513 write(1, "\33[24;1H\33[2J\33[?47l\0338\r\33>", 22) = 22
15513 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
15513 ioctl(1, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0
15513 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
15513 munmap(0x40020000, 4096) = 0
15513 exit_group(1) = ?
#v-

I see the progress counter at the bottom reach almost 100% before it
does it, I guess it finished reading the overview.

The newsserver is running NewsCache 1.1.92, all other groups (no matter
if they are bigger or smaller) do work. The same group on other servers
work too.

Any idea? gdb tells "Program exited with code 01", bt doesn't yield
anything: No stack.

If you tell me how I can give you further informations feel free to
ask.

So long,
Alfie

-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=de_AT@euro, LC_CTYPE=de_AT@euro

Versions of packages tin depends on:
ii debconf 1.4.30 Debian configuration management sy ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an ii libidn11 0.4.1-1 GNU libidn library, implementation ii libncursesw5 5.4-4 Shared libraries for terminal hand ii libpcre3 4.5-1.1 Perl 5 Compatible Regular Expressi

-- debconf information:
* shared/news/server: news.sil.at

--
SILVER SERVER \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\ \\ \ [email protected] www.sil.at +43(1)4933256-210 -- t_sysadmin
keep your backbone tidy


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

On Fri, Aug 13, 2004 at 02:15:53PM +0200, Gerfried Fuchs wrote:

tin quits when I select at.internet.provider on our newsserver here,
with this ending part in the strace:

#v+
15513 open("/proc/meminfo", O_RDONLY) = 5
15513 fstat64(5, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
15513 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40024000
15513 read(5, " total: used: free: shared: buffers: cached:\nMem: 4141010944 3900256256 240754688 "..., 4096) = 530
15513 close(5) = 0
15513 munmap(0x40024000, 4096) = 0
15513 poll([{fd=0, events=POLLIN}], 1, 0) = 0
15513 poll([{fd=0, events=POLLIN}], 1, 0) = 0
15513 write(1, "\rArtnum : 49283Subject: Kein Mailversand \374ber Chello From : m\366glichrtin: asser\10t\10\33[1@r", 88) = 88

this line looks like a broken overview entry (and tin exiting as it
violates a assertion)

15513 write(1, "\33[?25h", 6) = 6
15513 write(1, "\33[24;1H\33[2J\33[?47l\0338\r\33>", 22) = 22
15513 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
15513 ioctl(1, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig icanon echo ...}) = 0
15513 ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
15513 munmap(0x40020000, 4096) = 0
15513 exit_group(1) = ?
#v-

I see the progress counter at the bottom reach almost 100% before it
does it, I guess it finished reading the overview.

The newsserver is running NewsCache 1.1.92, all other groups (no matter
if they are bigger or smaller) do work. The same group on other servers
work too.

Any idea? gdb tells "Program exited with code 01", bt doesn't yield anything: No stack.

recompile tin with debuging information enabeled (CFLAGS="-g") and
start tin from inside gdb? and/or manually look at the overviewdata
returned from the server, e.g.
script
telnet news 119
mode reader
group at.internet.provider
xover -
quit
exit
less typescript

urs
--
"Only whimps use tape backup: _real_ men just upload their important stuff
on ftp, and let the rest of the world mirror it ;)" - Linus


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

* Urs Jan�en <[email protected]> [2004-08-13 15:13]:

On Fri, Aug 13, 2004 at 02:15:53PM +0200, Gerfried Fuchs wrote:

15513 write(1, "\rArtnum : 49283Subject: Kein Mailversand \374ber Chello From : m\366glichrtin: asser\10t\10\33[1@r", 88) = 88

this line looks like a broken overview entry (and tin exiting as it
violates a assertion)

Interesting.

15513 exit_group(1) = ?

The thing is, is exit_group(1) the right thing to do for tin here? And
why does this quit the whole process?

recompile tin with debuging information enabeled (CFLAGS="-g") and
start tin from inside gdb? and/or manually look at the overviewdata
returned from the server, e.g.
script
telnet news 119
mode reader
group at.internet.provider
xover -
quit
exit
less typescript

That helped. The line looks like following:

#v+
49283 Re: Kein Mailversand �ber Chello m�glich Jens Hoerburger <jens@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk.com> Fri, 16 Jul 2004 08:58:40 +0200 <[email protected]> <1ggzkqk.803p8e1x4v8zcN%wzalo@cesmail.

<[email protected]> 1286 12 Xref: paperboy.Austria.EU.net at.internet.provider:49283

#v-

I noticed that there is a tabstop in the subject part, and tabstops
seem to be field seperators. Still, I think tin should handle that more pleasingly and not quit completely.

Thanks for he help.
Alfie
--
Each SPAMmer should be sued to recycle every single bit of nettraffic he caused.
-- me, 2001-10-09

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBIKSoMU96lewVKUIRAsEeAJ92zErOpSYxRtp/xU7IGJxUjEYhQwCglN0O OU3o4vuyO6WJcLPVvXQPX84=
=sR4o
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

On Mon, Aug 16, 2004 at 02:12:25PM +0200, Gerfried Fuchs wrote:

* Urs Jan�en <[email protected]> [2004-08-13 15:13]:

On Fri, Aug 13, 2004 at 02:15:53PM +0200, Gerfried Fuchs wrote:

15513 write(1, "\rArtnum : 49283Subject: Kein Mailversand \374ber Chello From : m\366glichrtin: asser\10t\10\33[1@r", 88) = 88

this line looks like a broken overview entry (and tin exiting as it violates a assertion)

Interesting.

15513 exit_group(1) = ?

The thing is, is exit_group(1) the right thing to do for tin here? And
why does this quit the whole process?

recompile tin with debuging information enabeled (CFLAGS="-g") and
start tin from inside gdb? and/or manually look at the overviewdata returned from the server, e.g.
script
telnet news 119
mode reader
group at.internet.provider
xover -
quit
exit
less typescript

That helped. The line looks like following:
#v+
49283 Re: Kein Mailversand �ber Chello m�glich Jens Hoerburger <jens@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk.com> Fri, 16 Jul 2004 08:58:40 +0200 <[email protected]> <1ggzkqk.803p8e1x4v8zcN%wzalo@

cesmail.net> <[email protected]> 1286 12 Xref: paperboy.Austria.EU.net at.internet.provider:49283

#v-
I noticed that there is a tabstop in the subject part, and tabstops
seem to be field seperators.

right, tabs must be converted to spaces in the overview as tab is
used as fieldseperator. whith raw tabs in a field readersoftware
might get confused as it assings the following data to the next field.
not replacing tabs with spaces in the overview-data is a serious defect in
the server software.
in this case part of the subject is assigned to the from-field, the
from-data is assigned to the date-field, the date-data is assigned to the message-id-filed...
[the next is just a guess without looking at the code]

illegal-message-id -> unable to thread -> 'clean' exit as we hit

an assetrion in the threading code.

Still, I think tin should handle that more pleasingly and not quit completely.

I'm not a fan of having assertions in the code instead of trying to
catch the 'error' and do something usefull but in some cases it's
very hard to do something usefull (esp. if one hits malformed data).

urs
--
"Only whimps use tape backup: _real_ men just upload their important stuff
on ftp, and let the rest of the world mirror it ;)" - Linus


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

* Urs Jan�en <[email protected]> [2004-08-16 14:42]:

On Mon, Aug 16, 2004 at 02:12:25PM +0200, Gerfried Fuchs wrote:

#v+
49283 Re: Kein Mailversand �ber Chello m�glich Jens Hoerburger <jens@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijk.com> Fri, 16 Jul 2004 08:58:40 +0200 <[email protected]> <1ggzkqk.803p8e1x4v8zcN%wzalo@

cesmail.net> <[email protected]> 1286 12 Xref: paperboy.Austria.EU.net at.internet.provider:49283

#v-
I noticed that there is a tabstop in the subject part, and tabstops
seem to be field seperators.

right, tabs must be converted to spaces in the overview as tab is
used as fieldseperator. whith raw tabs in a field readersoftware
might get confused as it assings the following data to the next field.
not replacing tabs with spaces in the overview-data is a serious defect in the server software.

Well, but the software should stick to the Robustness Principle:
"be conservative in what you do, be liberal in what you accept from
others."

in this case part of the subject is assigned to the from-field, the
from-data is assigned to the date-field, the date-data is assigned to the message-id-filed...

Then this very line should be skipped. The most sensible thing to do,
and display the others.

Still, I think tin should handle that more pleasingly and not quit
completely.

I'm not a fan of having assertions in the code instead of trying to
catch the 'error' and do something usefull but in some cases it's
very hard to do something usefull (esp. if one hits malformed data).

Then we are faced with a DoS attack posibility here, a quite clean one.

The thing is: My collegue who informed be about this has the same tin
version running on other machines which work. It is just linked against different things, so we guess it is not a tin problem itself why this
happens. Might it have to be with libncurses5 vs. libncursesw5 (normal
vs. wide)? Just a thought, it might be in some other libraries, too.

This problem is a serious thing, and I would thing having a DoS in the
code (whichever code it might be) should even make this a release
critical bug. I guess I'll talk to the release team what to do with this
nasty annoyance.

So long,
Alfie
--
The trouble with you
Is the trouble with me.
Got two good eyes
But we still don't see. -- Robert Hunter, "Workingman's Dead"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBILiTMU96lewVKUIRAsk7AJ9JZ2/Y7y2pM2i43abTYrMVCVAZ2wCaAsz4 dDRv6zM2h1VagsCKjWYQpFE=
=vpTs
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

On Mon, Aug 16, 2004 at 03:37:23PM +0200, Gerfried Fuchs wrote:

in this case part of the subject is assigned to the from-field, the from-data is assigned to the date-field, the date-data is assigned to the message-id-filed...

Then this very line should be skipped. The most sensible thing to do,
and display the others.

you can't easily recognice if the line is defect and even if you can
you can't say where.

I'm not a fan of having assertions in the code instead of trying to
catch the 'error' and do something usefull but in some cases it's
very hard to do something usefull (esp. if one hits malformed data).

Then we are faced with a DoS attack posibility here, a quite clean one.

only on broken servers -> the defect is on the servers side (which
has to replace all tabs by spaces in the overview data).

The thing is: My collegue who informed be about this has the same tin version running on other machines which work. It is just linked against different things, so we guess it is not a tin problem itself why this happens. Might it have to be with libncurses5 vs. libncursesw5 (normal
vs. wide)? Just a thought, it might be in some other libraries, too.

it is a server problem, not a client one. I guess you collegue uses
a different newsserver on the other machine.

This problem is a serious thing,

in the servers code

and I would thing having a DoS in the code (whichever code it might
be) should even make this a release critical bug.

blame the NewsCache 1.1.92 guys

urs
--
"Only whimps use tape backup: _real_ men just upload their important stuff
on ftp, and let the rest of the world mirror it ;)" - Linus


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

* Urs Jan�en <[email protected]> [2004-08-16 16:18]:

On Mon, Aug 16, 2004 at 03:37:23PM +0200, Gerfried Fuchs wrote:

Then this very line should be skipped. The most sensible thing to do,
and display the others.

you can't easily recognice if the line is defect and even if you can
you can't say where.

Try until the next \r\n, that would be IMHO sensible.

Then we are faced with a DoS attack posibility here, a quite clean one.

only on broken servers -> the defect is on the servers side (which
has to replace all tabs by spaces in the overview data).

That's a stupid defense of a bug in the client that doesn't use the
Robustness Principle. What like apache bug affects mozilla? Truly
mozilla will be patched to not croak when being displayed a b0rked
webpage. The same should be done for tin.

The thing is: My collegue who informed be about this has the same tin
version running on other machines which work. It is just linked against
different things, so we guess it is not a tin problem itself why this
happens. Might it have to be with libncurses5 vs. libncursesw5 (normal
vs. wide)? Just a thought, it might be in some other libraries, too.

it is a server problem, not a client one. I guess you collegue uses
a different newsserver on the other machine.

No, the same newsserver was involved. Pretty please don't try to push
the bug where it doesn't belong.

This problem is a serious thing,

in the servers code

And in the client code. A client that dies because the server sends
some data it doesn't like but can do other sensible things (like not
entering that group, but still allowing to browse other groups) is a
serious thing.

and I would thing having a DoS in the code (whichever code it might
be) should even make this a release critical bug.

blame the NewsCache 1.1.92 guys

I'll do, for sure. But still, tin must not quit.

So long,
Alfie
--
"Kaum wird das Wetter schlechter und die Tage k�rzer, fallen die
Newbies �ber das Netz her wie die Bl�tter von den B�umen."
(Ulf Schaefer in de.talk.jokes)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBIMgVMU96lewVKUIRAiWuAJ9Hl3CCaunjEO2tBDeb6EDCCAONygCfYL7V z6s4rSzcid+OwKECElgNZv0=
=t9da
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From: [email protected]

On Mon, Aug 16, 2004 at 04:43:33PM +0200, Gerfried Fuchs wrote:

Then we are faced with a DoS attack posibility here, a quite clean one.

only on broken servers -> the defect is on the servers side (which
has to replace all tabs by spaces in the overview data).

That's a stupid defense of a bug in the client that doesn't use the Robustness Principle. What like apache bug affects mozilla? Truly
mozilla will be patched to not croak when being displayed a b0rked
webpage. The same should be done for tin.

if you think it should be fixed on the client[s] side[s] then feel free to
send in patch[es].


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)