Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: serious Qpopper 3.0 vulnerability
From: ehl () FUNGHI COM (Elgin Lee)
Date: Tue, 30 Nov 1999 12:28:15 -0800


I believe that the sample quick fix has a bug/typo.  The intent (I think) is
to use snprintf() and vsnprintf(), but the patch changes the sprintf's
to snprintf calling conventions (length bound as second argument) while
keeping the name as sprintf.  That presumably has awful results as
sprintf treats MAXLINELEN - 100 as a format string.

By the way, Nessus 0.91.1 identifies the vulnerability.  I ran into
this problem late last Friday and alerted the qpopper maintainers.

--Elgin

On Tue, Nov 30, 1999 at 01:53:11AM +0100, Mixter wrote:
# apply this in the qpopper3.0b20/popper/ directory with patch < qp3b20.patch
--- pop_msg.c.old     Mon Nov 29 23:42:03 1999
+++ pop_msg.c Mon Nov 29 23:52:08 1999
@@ -65,7 +65,7 @@
     /*  Append the message (formatted, if necessary) */
     if (format) {
 #ifdef HAVE_VPRINTF
-        vsprintf(mp,format,ap);
+        vsnprintf(mp,MAXLINELEN - 100, format,ap);
 #else
 # ifdef PYRAMID
      arg1 = va_arg(ap, char *);
@@ -74,9 +74,9 @@
      arg4 = va_arg(ap, char *);
      arg5 = va_arg(ap, char *);
      arg6 = va_arg(ap, char *);
-        (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
+        (void)sprintf(mp,MAXLINELEN - 100, format, arg1, arg2, arg3, arg4, arg5, arg6);
 # else
-        (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
+        (void)sprintf(mp,MAXLINELEN - 100, format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
                    ((int *)ap)[3],((int *)ap)[4]);
 # endif
 #endif


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]