Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)
From: Renaud Deraison <deraison () cvs nessus org>
Date: Tue, 5 Jun 2001 22:21:47 +0200

On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote:
**** 4.0.3 FIXES A BUFFER OVERFLOW PRESENT IN ALL VERSIONS OF 4.0 --
PLEASE UPGRADE IMMEDIATELY ***

We hope that this information is accurate. Version 4.0.2 is not on the ftp
server any more, and there is no patch from 4.0.2 to 4.0.3.
We currently feel handicapped in our efforts to check the code for the
changes wrt the buffer overflow.

The buffer overflow took place when a too long argument was supplied
to the USER command (and apparently to some other commands too).

Here's the gdb backtrace I did save when I investigated this issue
thanks to Gustavo Viscaino (see
http://www.nessus.com/bugs/nessus/fixed?id=385 if you are curious
about why I'm involved in this)

(note that the command was USER XXXXX[....]XXXXX\r\n)

Program received signal SIGSEGV, Segmentation fault.
strcpy (dest=0xbfffca95 'X' <repeats 200 times>..., 
    src=0xbfffca54 'X' <repeats 200 times>...)
    at ../sysdeps/generic/strcpy.c:38
38      ../sysdeps/generic/strcpy.c: No such file or directory.
(gdb) bt
#0  strcpy (dest=0xbfffca95 'X' <repeats 200 times>..., 
    src=0xbfffca54 'X' <repeats 200 times>...)
    at ../sysdeps/generic/strcpy.c:38
#1  0x805078c in pop_user (p=0xbfffca2c) at pop_user.c:198
#2  0x8050e58 in qpopper (argc=1482184792, argv=0x58585858) at
popper.c:321
#3  0x58585858 in ?? ()
Cannot access memory at address 0x58585858

Unfortunately, I did not get a copy of qpopper 4.0.2, so I can't really
show where the exact bug was.



If the above statement is right, then SuSE distributions are not
vulnerable. However, we wish to double-check such a claim. All kinds of

I really think it's not vulnerable. Qpopper 3.0.x is immune to this bug too.



                                -- Renaud


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault