Home page logo

bugtraq logo Bugtraq mailing list archives

More about UW c-client library
From: Juhapekka Tolvanen <juhtolv () ST JYU FI>
Date: Sat, 2 Sep 2000 00:18:14 +0300

Here is more information about that bug.


It seems, that they will have some patch real soon:


Upon a quick glance, there indeed appears to be no checks at all
for buffer overflows. A buf of 8k is allocated into which the
From:, Status:, X-Status, and X-Keywords: headers are placed,
with simple

      sprintf (buf + strlen (buf),"...

commands. So having extremely long X-Keywords in mail messages
will screw things up. Double yuck.

This is in imap-4.7c/src/osdep/unix/unix.c BTW.

See the original message and the accompanying thread in debian-devel,
archive/latest/67244 , Message-ID <39AD820C.6AD0818C () axis com> from
Cristian Ionescu-Idbohrn <cii () axis com>

Ok, I've patched unix.c to use snprintf(3) instead of sprintf(3).  This
only the tip of the iceberg however.  There is a source code scanner
called its4 which checks for unsafe coding practices and I ran it on
imapd.  The report was about a mile long :(


Juhapekka "naula" Tolvanen * * * U of Jyväskylä * * juhtolv () st jyu fi
http://www.cc.jyu.fi/~juhtolv/index.html * "STRAIGHT BUT NOT NARROW!"
"so impressed with all you do. tried so hard to be like you. flew too
high and burnt the wing. lost my faith in everything" nine inch nails

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]