Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: QPopper 4.0.x buffer overflow vulnerability
From: Florian Heinz <heinz () cronon-ag de>
Date: Wed, 12 Mar 2003 05:05:41 +0100

On Tue, Mar 11, 2003 at 07:05:51PM -0800, Randall Gellens wrote:
The first I heard of the problem was this morning.  Was any notice 
sent to qpopper-bugs () qualcomm com or qpopper-patches () qualcomm com in 
advance of the posting here?  If so, please let me know the details 
so I can see what happened to the message.  If not, I'd like to know 
why.

The cause for this bug is already identified and the fix is really
simple, I didn't see a reason to delay the post. It wasn't my intention
to cause you trouble, if I did so, I'm sorry. I had bad experience
informing vendors in the past, so I skipped that in this case.
For example, some time ago I reported the (non-exploitable) bug in
pop_msg.c, line 254f.:
free(local_element.mdef_macro); /* From strdup */
return pop_msg(p, POP_SUCCESS, HERE, "Macro \"%s\" accepted",
               local_element.mdef_macro);
and I didn't get a reply. Perhaps you want to fix this flaw too, in fc2.

regards,

Florian Heinz


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault