-------- Original Message --------
Subject: Security Alert; possible buffer overflow in all Mathopd versions
Date: Thu, 4 Dec 2003 22:33:26 +0100 (CET)
From: Michiel Boland <michiel_at_boland.org>
To: mathopd_at_mathopd.org
Hi.
During some testing, I came across a rather stupid and embarassing buffer
overflow in request.c in all Mathopd versions up to and including 1.5b13.
The problem is in the prepare_reply() function that allocates space for a
buffer on the stack that may be too small for whatever goes into it. This
can lead to crashes, or even system compromise. I am amazed that nobody
has spotted the problem before; obviously not many people are using this
software. :}
Anyway, I have patched things up now so that things should be ok.
Read the table below for any action that you must take if you run mathopd.
The table informs you, for each particular version, whether it is
vulnerable to remote exploits of this bug, and whether an upgrade exists,
and which one you should use.
Branch/Version Status
---------------------------------------------------------------------
1.2 and older Probably vulnerable, not supported
1.3 before pl8 Probably vulnerable, upgrade advised
1.3pl8 Patched, otherwise not supported (use 1.4p2 instead)
1.4 before p2 Definitely vulnerable, upgrade immediately to 1.4p2
1.4p2 Not vulnerable
BETA versions:
1.5 before b14 Vulnerable
1.5b14 Not vulnerable
---------------------------------------------------------------------
In short: all versions in the 1.3, 1.4 and current branch are fixed (at
least for this particular problem.) If you run 1.3 at this moment, you may
be all right, but it is probably wise to upgrade anyway. If you run 1.4
right now you are in trouble; please upgrade as soon as possible.
The patched versions are available for immediate download on the Mathopd
website.
Sorry about this. This has not been a good week.
Cheers
Michiel
Received on Dec 05 2003
Intro
