Home page logo

bugtraq logo Bugtraq mailing list archives

Re: QPopper 4.0.x buffer overflow vulnerability
From: Harald Hellmuth <hh () hostserver de>
Date: Thu, 13 Mar 2003 08:12:47 +0100

On Tue, 11 Mar 2003 19:05:51 -0800
Randall Gellens <rg_public.1 () flagg qualcomm com> wrote:

The first I heard of the problem was this morning.  Was any notice 
sent to qpopper-bugs () qualcomm com or qpopper-patches () qualcomm com in 
advance of the posting here?  If so, please let me know the details 
so I can see what happened to the message.  If not, I'd like to know 

A fixed Qpopper (version 4.0.5fc2) is available now at 
<ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>.  I plan on 
releasing 4.0.5 final tomorrow unless I hear of any problems with 

Randall Gellens
rg_public.1 () flagg qualcomm com
Opinions are personal;     facts are suspect;     I speak for myself only


Yesterday(2003-03-12) I've sent the following email to qpopper-bugs () qualcomm com:

------------------------------ snip ---------------------------------------
Dear Sir or Madam,

Florian Heinz posted an exploit to gain shell access through qpopper. 
See http://nstx.dereference.de/snippets/qex.c.
The reason is an unterminated bufferstring in Qvsnprintf.

I looked at version 4.05fc2 and there is a change, but i think that
change  isn't correct.

/* From File common/snprintf.c */
if ( nSize == 0 && *p != '\0' )
        *s = '\0';
        return -1;
        return ( (n-1) - nSize );

/* when string that should be written to the buffer fits exactly,
 * than there will  no Zero-Byte be written to buffer, cause the for
 * loop terminates when nSize is 0 and the terminating '\0' of p is not
 * copied to buffer ;-(

Ithink, it should be written as :

if ( nSize || *p=='\0') 
        *s++ = *p;
        return ( (n-1) - nSize );
       *s++ = '\0';
       return -1;

Please excuse my bad english.


Harald Hellmuth
------------------------------ snap ---------------------------------------

with best regards


Harald Hellmuth
E-Mail: hh () hostserver de

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]