[12801] in bugtraq
Re: serious Qpopper 3.0 vulnerability
daemon@ATHENA.MIT.EDU (Elgin Lee)
Wed Dec 1 15:06:39 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991130122814.B10943@funghi.com>
Date: Tue, 30 Nov 1999 12:28:15 -0800
Reply-To: Elgin Lee <ehl@FUNGHI.COM>
From: Elgin Lee <ehl@FUNGHI.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <951562918980675154585@lists.pensive.org>; from
mixter@NEWYORKOFFICE.COM on Tue, Nov 30, 1999 at 01:53:11AM +0100
I believe that the sample quick fix has a bug/typo. The intent (I think) is
to use snprintf() and vsnprintf(), but the patch changes the sprintf's
to snprintf calling conventions (length bound as second argument) while
keeping the name as sprintf. That presumably has awful results as
sprintf treats MAXLINELEN - 100 as a format string.
By the way, Nessus 0.91.1 identifies the vulnerability. I ran into
this problem late last Friday and alerted the qpopper maintainers.
--Elgin
On Tue, Nov 30, 1999 at 01:53:11AM +0100, Mixter wrote:
> # apply this in the qpopper3.0b20/popper/ directory with patch < qp3b20.patch
> --- pop_msg.c.old Mon Nov 29 23:42:03 1999
> +++ pop_msg.c Mon Nov 29 23:52:08 1999
> @@ -65,7 +65,7 @@
> /* Append the message (formatted, if necessary) */
> if (format) {
> #ifdef HAVE_VPRINTF
> - vsprintf(mp,format,ap);
> + vsnprintf(mp,MAXLINELEN - 100, format,ap);
> #else
> # ifdef PYRAMID
> arg1 = va_arg(ap, char *);
> @@ -74,9 +74,9 @@
> arg4 = va_arg(ap, char *);
> arg5 = va_arg(ap, char *);
> arg6 = va_arg(ap, char *);
> - (void)sprintf(mp,format, arg1, arg2, arg3, arg4, arg5, arg6);
> + (void)sprintf(mp,MAXLINELEN - 100, format, arg1, arg2, arg3, arg4, arg5, arg6);
> # else
> - (void)sprintf(mp,format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
> + (void)sprintf(mp,MAXLINELEN - 100, format,((int *)ap)[0],((int *)ap)[1],((int *)ap)[2],
> ((int *)ap)[3],((int *)ap)[4]);
> # endif
> #endif
