Vulnerability Development mailing list archives

Re: procmail


From: Timo Sirainen <tss () iki fi>
Date: Sun, 12 Oct 2003 20:16:40 +0300

On Sun, 2003-10-12 at 01:41, aaa aaa wrote:
Here is simple advisory

 if(rename(name,buf2))                    /* try and move it out of the way */
  { syslog(LOG_ALERT,renfbogus,name,buf2);              /* danger!  danger! */
    return 1;
  }
 syslog(LOG_CRIT,renbogus,name,buf2);
 return 0;

And we probably don't have control with buf ;( but we have in theory all control
to do format string bug with use function rnmbogus(). Meybe it is bug?

No. The format parameters are renfbogus and renbogus, not name. They are
both static strings. No bugs there.

Btw. Procmail have realy FUCKED UP source ;(

Yea, it really is. Once it took me half an hour just to figure out code
execution path to certain location of the code.



Current thread: