mailing list archives
ZRCSA-200505: libremail - "pop.c" Format String Vulnerability
From: deepfear () zone-h fr
Date: 16 Dec 2005 05:55:10 -0000
Zone-H Research Center Security Advisory 200505
Date of release: 16/12/2005
Software: libremail (http://libremail.tuxfamily.org/en/)
Affected versions: <= 1.1.0
Discovered by: Mehdi Oudad "deepfear" from the Zone-H Research Team
libremail is a set of command line mail tools, it includes several clients, and allows to filter mails.
from http://libremail.tuxfamily.org/en/trad.htm :
This web site is intended to present to you the whole part of applications of electronic mail I developed.
These softwares functions under GNU/Linux and should normaly run without any modification under the other UNIX systems.
On the other hand, I did not consider it useful (and a fortiori priority) to adapt these applications to make them run
also under Windows.
There is a format string vulnerability in pop.c:
void lire_pop ()
posbuf = 0;
// lecture jusqu'en fin de ligne ou de buffer
recv (sockfd, buf_lect + posbuf, 1, 0);
while (buf_lect [posbuf++] != '\n' && posbuf < sz_buflect);
// terminer la chaine de caractères lue (on supprime \r\n)
if (posbuf > 1 && buf_lect [posbuf - 2] == '\r')
buf_lect [posbuf - 2] = '\0';
buf_lect [posbuf - 1] = '\0';
It could be exploited by tricking a user into connecting to a malicious pop server, or by sending a malicious mail (if
the user reads it through a pop server), however it requires that debug mode is activated (not default setting).
The vendor has published updated sources:
They will also be included in an upcoming version (with other bugfixes and new features).
English version: Check Zone-H.org (off atm)
- ZRCSA-200505: libremail - "pop.c" Format String Vulnerability deepfear (Dec 16)