Bugtraq mailing list archives

Re: Qpopper 4.0.3 Fixes Buffer Overflow (fwd)

From: "William D. Colburn (aka Schlake)" <wcolburn () nmt edu>
Date: Tue, 5 Jun 2001 13:51:50 -0600

Here is a patch (attached) to take 4.0.3 down to 4.0.2.

On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote:

We hope that this information is accurate. Version 4.0.2 is not on the ftp
server any more, and there is no patch from 4.0.2 to 4.0.3.
We currently feel handicapped in our efforts to check the code for the
changes wrt the buffer overflow.

SuSE ships qpopper versions 2.53 (with a set of patches that include
security fixes for this version) for SuSE-6.3, 6.4 and 7.0, SuSE-7.1 and
the upcoming SuSE-7.2 release have version 3.1.2.

If the above statement is right, then SuSE distributions are not
vulnerable. However, we wish to double-check such a claim. All kinds of
verification and transparency are welcome, including an official statement
from Qualcomm (thanks in advance!).

Changes from 4.0.2 to 4.0.3:
----------------------------
  1.  Don't call SSL_shutdown unless we tried to negotiate an
      SSL session.  (As suggested by Kenneth Porter.)
  2.  Fix buffer overflow  (reported by Gustavo Viscaino).



Thank you,
Roman Drahtmüller,
SuSE Security.
- -- 
 -                                                                      -
| Roman Drahtmüller      <draht () suse de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: http://www.suse.de/  

iEYEARECAAYFAjsdDlkACgkQnkDjEAAKq6RVAQCgmAZJGKq6v4J9kjznUy+tlZzm
j3EAoMyrDlRtE8OgI98T7FN18IfEYfHR
=G2T2
-----END PGP SIGNATURE-----


--
William Colburn, "Sysprog" <wcolburn () nmt edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

Attachment: qpopper.patch
Description:

Current thread:

Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Michael Brennen (Jun 02)
- Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Roman Drahtmueller (Jun 05)
  - Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Renaud Deraison (Jun 05)
  - Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) Florian Weimer (Jun 05)
    - Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) KF (Jun 05)
  - Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd) William D. Colburn (aka Schlake) (Jun 05)

Bugtraq mailing list archives

Re: Qpopper 4.0.3 **** Fixes Buffer Overflow **** (fwd)

Current thread:

Re: Qpopper 4.0.3 Fixes Buffer Overflow (fwd)